Valid keys for cryptographic operations
Certain keys can only be used for certain operations. Additionally, some operations may limit the key modes of use for keys. Please see the following table for allowed combinations.
Note
Certain combinations, although permitted, may create unusable situations such as generating
CVV codes (generate)
but then unable to verify them (verify)
.
Topics
GenerateCardData
API Endpoint | Cryptographic Operation or Algorithm | Allowed Key Usage | Allowed Key Algorithm | Allowed combination of key modes of use |
---|---|---|---|---|
GenerateCardData |
|
TR31_C0_CARD_VERIFICATION_KEY |
|
{ Generate = true },{ Generate = true, Verify = true } |
GenerateCardData |
|
TR31_C0_CARD_VERIFICATION_KEY |
|
{ Generate = true },{ Generate = true, Verify = true } |
GenerateCardData |
|
TR31_E6_EMV_MKEY_OTHER |
|
{ DeriveKey = true } |
GenerateCardData |
|
TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS |
|
{ DeriveKey = true } |
GenerateCardData |
|
TR31_E6_EMV_MKEY_OTHER |
|
{ DeriveKey = true } |
VerifyCardData
Cryptographic Operation or Algorithm | Allowed Key Usage | Allowed Key Algorithm | Allowed combination of key modes of use |
---|---|---|---|
|
TR31_C0_CARD_VERIFICATION_KEY |
|
{ Generate = true },{ Generate = true, Verify = true } |
|
TR31_C0_CARD_VERIFICATION_KEY |
|
{ Generate = true },{ Generate = true, Verify = true } |
|
TR31_E6_EMV_MKEY_OTHER |
|
{ DeriveKey = true } |
|
TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS |
|
{ DeriveKey = true } |
|
TR31_E6_EMV_MKEY_OTHER |
|
{ DeriveKey = true } |
GeneratePinData (for VISA/ABA schemes)
VISA_PIN or VISA_PIN_VERIFICATION_VALUE
Key Type | Allowed Key Usage | Allowed Key Algorithm | Allowed combination of key modes of use |
---|---|---|---|
PIN Encryption Key |
TR31_P0_PIN_ENCRYPTION_KEY |
|
|
PIN Generation Key |
TR31_V2_VISA_PIN_VERIFICATION_KEY |
|
|
GeneratePinData (for IBM3624
)
IBM3624_PIN_OFFSET,IBM3624_NATURAL_PIN,IBM3624_RANDOM_PIN, IBM3624_PIN_FROM_OFFSET)
Key Type | Allowed Key Usage | Allowed Key Algorithm | Allowed combination of key modes of use |
---|---|---|---|
PIN Encryption Key |
TR31_P0_PIN_ENCRYPTION_KEY |
|
For IBM3624_NATURAL_PIN, IBM3624_RANDOM_PIN, IBM3624_PIN_FROM_OFFSET
For IBM3624_PIN_OFFSET
|
PIN Generation Key |
TR31_V1_IBM3624_PIN_VERIFICATION_KEY |
|
|
VerifyPinData (for VISA/ABA schemes)
VISA_PIN
Key Type | Allowed Key Usage | Allowed Key Algorithm | Allowed combination of key modes of use |
---|---|---|---|
PIN Encryption Key |
TR31_P0_PIN_ENCRYPTION_KEY |
|
|
PIN Generation Key |
TR31_V2_VISA_PIN_VERIFICATION_KEY |
|
|
VerifyPinData (for IBM3624
)
IBM3624_PIN_OFFSET,IBM3624_NATURAL_PIN,IBM3624_RANDOM_PIN, IBM3624_PIN_FROM_OFFSET)
Key Type | Allowed Key Usage | Allowed Key Algorithm | Allowed combination of key modes of use |
---|---|---|---|
PIN Encryption Key |
TR31_P0_PIN_ENCRYPTION_KEY |
|
For IBM3624_NATURAL_PIN, IBM3624_RANDOM_PIN, IBM3624_PIN_FROM_OFFSET
|
PIN Verification Key |
TR31_V1_IBM3624_PIN_VERIFICATION_KEY |
|
|
Decrypt Data
Key Type | Allowed Key Usage | Allowed Key Algorithm | Allowed combination of key modes of use |
---|---|---|---|
DUKPT |
TR31_B0_BASE_DERIVATION_KEY |
|
|
EMV |
TR31_E1_EMV_MKEY_CONFIDENTIALITY TR31_E6_EMV_MKEY_OTHER |
|
|
RSA |
TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION |
|
|
Symmetric keys |
TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY |
|
|
Encrypt Data
Key Type | Allowed Key Usage | Allowed Key Algorithm | Allowed combination of key modes of use |
---|---|---|---|
DUKPT |
TR31_B0_BASE_DERIVATION_KEY |
|
|
EMV |
TR31_E1_EMV_MKEY_CONFIDENTIALITY TR31_E6_EMV_MKEY_OTHER |
|
|
RSA |
TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION |
|
|
Symmetric keys |
TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY |
|
|
Translate Pin Data
Direction | Key Type | Allowed Key Usage | Allowed Key Algorithm | Allowed combination of key modes of use |
---|---|---|---|---|
Inbound Data Source |
DUKPT |
TR31_B0_BASE_DERIVATION_KEY |
|
|
Inbound Data Source |
non-DUKPT (PEK, AWK, IWK, etc) |
TR31_P0_PIN_ENCRYPTION_KEY |
|
|
Outbound Data Target |
DUKPT |
TR31_B0_BASE_DERIVATION_KEY |
|
|
Outbound Data Target |
non-DUKPT (PEK, IWK, AWK, etc) |
TR31_P0_PIN_ENCRYPTION_KEY |
|
|
Generate/Verify MAC
MAC keys are used for creating cryptographic hashes of a message/body of data. It is not recommended to create a key with limited key modes of use as you will be unable to perform the matching operation. However, you may import/export a key with only one operation if the other system is intended to perform the other half of the operation pair.
Allowed Key Usage | Allowed Key Usage | Allowed Key Algorithm | Allowed combination of key modes of use |
---|---|---|---|
MAC Key |
TR31_M1_ISO_9797_1_MAC_KEY |
|
|
MAC Key (Retail MAC) |
TR31_M1_ISO_9797_3_MAC_KEY |
|
|
MAC Key (CMAC) |
TR31_M6_ISO_9797_5_CMAC_KEY |
|
|
MAC Key (HMAC) |
TR31_M7_HMAC_KEY |
|
|
VerifyAuthRequestCryptogram
Allowed Key Usage | EMV Option | Allowed Key Algorithm | Allowed combination of key modes of use |
---|---|---|---|
|
TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS |
|
|
Import/Export Key
Operation Type | Allowed Key Usage | Allowed Key Algorithm | Allowed combination of key modes of use |
---|---|---|---|
TR-31 Wrapping Key |
TR31_K1_KEY_BLOCK_PROTECTION_KEY TR31_K0_KEY_ENCRYPTION_KEY |
|
|
Import of trusted CA |
TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE |
|
|
Import of public key certificate for asymmetric encryption |
TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION |
|
|
Unused key types
The following key types are not currently used by AWS Payment Cryptography
-
TR31_P1_PIN_GENERATION_KEY
-
TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT