Key - AWS Payment Cryptography Control Plane
ContentsSee Also

Key

Metadata about an AWS Payment Cryptography key.

Contents

CreateTimestamp

The date and time when the key was created.

Type: Timestamp

Required: Yes

Enabled

Specifies whether the key is enabled.

Type: Boolean

Required: Yes

Exportable

Specifies whether the key is exportable. This data is immutable after the key is created.

Type: Boolean

Required: Yes

KeyArn

The Amazon Resource Name (ARN) of the key.

Type: String

Length Constraints: Minimum length of 70. Maximum length of 150.

Pattern: arn:aws:payment-cryptography:[a-z]{2}-[a-z]{1,16}-[0-9]+:[0-9]{12}:key/[0-9a-zA-Z]{16,64}

Required: Yes

KeyAttributes

The role of the key, the algorithm it supports, and the cryptographic operations allowed with the key. This data is immutable after the key is created.

Type: KeyAttributes object

Required: Yes

KeyCheckValue

The key check value (KCV) is used to check if all parties holding a given key have the same key or to detect that a key has changed.

Type: String

Length Constraints: Minimum length of 4. Maximum length of 16.

Pattern: [0-9a-fA-F]+

Required: Yes

KeyCheckValueAlgorithm

The algorithm that AWS Payment Cryptography uses to calculate the key check value (KCV). It is used to validate the key integrity.

For TDES keys, the KCV is computed by encrypting 8 bytes, each with value of zero, with the key to be checked and retaining the 3 highest order bytes of the encrypted result. For AES keys, the KCV is computed using a CMAC algorithm where the input data is 16 bytes of zero and retaining the 3 highest order bytes of the encrypted result.

Type: String

Valid Values: CMAC | ANSI_X9_24

Required: Yes

KeyOrigin

The source of the key material. For keys created within AWS Payment Cryptography, the value is AWS_PAYMENT_CRYPTOGRAPHY. For keys imported into AWS Payment Cryptography, the value is EXTERNAL.

Type: String

Valid Values: EXTERNAL | AWS_PAYMENT_CRYPTOGRAPHY

Required: Yes

KeyState

The state of key that is being created or deleted.

Type: String

Valid Values: CREATE_IN_PROGRESS | CREATE_COMPLETE | DELETE_PENDING | DELETE_COMPLETE

Required: Yes

DeletePendingTimestamp

The date and time after which AWS Payment Cryptography will delete the key. This value is present only when KeyState is DELETE_PENDING and the key is scheduled for deletion.

Type: Timestamp

Required: No

DeleteTimestamp

The date and time after which AWS Payment Cryptography will delete the key. This value is present only when when the KeyState is DELETE_COMPLETE and the AWS Payment Cryptography key is deleted.

Type: Timestamp

Required: No

DeriveKeyUsage

The cryptographic usage of an ECDH derived key as deļ¬ned in section A.5.2 of the TR-31 spec.

Type: String

Valid Values: TR31_B0_BASE_DERIVATION_KEY | TR31_C0_CARD_VERIFICATION_KEY | TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY | TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS | TR31_E1_EMV_MKEY_CONFIDENTIALITY | TR31_E2_EMV_MKEY_INTEGRITY | TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS | TR31_E5_EMV_MKEY_CARD_PERSONALIZATION | TR31_E6_EMV_MKEY_OTHER | TR31_K0_KEY_ENCRYPTION_KEY | TR31_K1_KEY_BLOCK_PROTECTION_KEY | TR31_M3_ISO_9797_3_MAC_KEY | TR31_M1_ISO_9797_1_MAC_KEY | TR31_M6_ISO_9797_5_CMAC_KEY | TR31_M7_HMAC_KEY | TR31_P0_PIN_ENCRYPTION_KEY | TR31_P1_PIN_GENERATION_KEY | TR31_V1_IBM3624_PIN_VERIFICATION_KEY | TR31_V2_VISA_PIN_VERIFICATION_KEY

Required: No

UsageStartTimestamp

The date and time after which AWS Payment Cryptography will start using the key material for cryptographic operations.

Type: Timestamp

Required: No

UsageStopTimestamp

The date and time after which AWS Payment Cryptography will stop using the key material for cryptographic operations.

Type: Timestamp

Required: No

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: