Keys

The following list defines the keys referenced in this document.

HBK

HSM backing key: HSM backing keys are 256-bit root keys, from which specific use keys are derived.

DK

Domain key: A domain key is a 256-bit AES-GCM key. It is shared among all the members of a domain and is used to protect HSM backing keys material and HSM-service host session keys.

DKEK

Domain key encryption key: A domain key encryption Key is an AES-256-GCM key generated on a host and used for encrypting the current set of domain keys synchronizing domain state across the HSM hosts.

(dHAK,QHAK)

HSM agreement key pair: Every initiated HSM has a locally generated Elliptic Curve Diffie-Hellman agreement key pair on the curve secp384r1 (NIST-P384).

(dE, QE)

Ephemeral agreement key pair: HSM and service hosts generate ephemeral agreement keys. These are Elliptic Curve Diffie-Hellman keys on the curve secp384r1 (NIST-P384). These are generated in two use cases: to establish a host-to-host encryption key to transport domain key encryption keys in domain tokens and to establish HSM-service host session keys to protect sensitive communications.

(dHSK,QHSK)

HSM signature key pair: Every initiated HSM has a locally generated Elliptic Curve Digital Signature key pair on the curve secp384r1 (NIST-P384).

(dOS,QOS)

Operator signature key pair: Both the service host operators and AWS KMS operators have an identity signing key used to authenticate itself to other domain participants.

K

Data encryption key: A 256-bit AES-GCM key derived from an HBK using the NIST SP800-108 KDF in counter mode using HMAC with SHA256.

SK

Session key: A session key is created as a result of an authenticated Elliptic Curve Diffie-Hellman key exchanged between a service host operator and an HSM. The purpose of the exchange is to secure communication between the service host and the members of the domain.