aws-sdk-paymentcryptographydata 1.25.0 → 1.27.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -452,8 +452,8 @@ module Aws::PaymentCryptographyData
452
452
  # more information, see [Decrypt data][1] in the *Amazon Web Services
453
453
  # Payment Cryptography User Guide*.
454
454
  #
455
- # You can use an encryption key generated within Amazon Web Services
456
- # Payment Cryptography, or you can import your own encryption key by
455
+ # You can use an decryption key generated within Amazon Web Services
456
+ # Payment Cryptography, or you can import your own decryption key by
457
457
  # calling [ImportKey][2]. For this operation, the key must have
458
458
  # `KeyModesOfUse` set to `Decrypt`. In asymmetric decryption, Amazon Web
459
459
  # Services Payment Cryptography decrypts the ciphertext using the
@@ -462,6 +462,17 @@ module Aws::PaymentCryptographyData
462
462
  # can export the public component of the asymmetric key pair by calling
463
463
  # [GetPublicCertificate][3].
464
464
  #
465
+ # This operation also supports dynamic keys, allowing you to pass a
466
+ # dynamic decryption key as a TR-31 WrappedKeyBlock. This can be used
467
+ # when key material is frequently rotated, such as during every card
468
+ # transaction, and there is need to avoid importing short-lived keys
469
+ # into Amazon Web Services Payment Cryptography. To decrypt using
470
+ # dynamic keys, the `keyARN` is the Key Encryption Key (KEK) of the
471
+ # TR-31 wrapped decryption key material. The incoming wrapped key shall
472
+ # have a key purpose of D0 with a mode of use of B or D. For more
473
+ # information, see [Using Dynamic Keys][4] in the *Amazon Web Services
474
+ # Payment Cryptography User Guide*.
475
+ #
465
476
  # For symmetric and DUKPT decryption, Amazon Web Services Payment
466
477
  # Cryptography supports `TDES` and `AES` algorithms. For EMV decryption,
467
478
  # Amazon Web Services Payment Cryptography supports `TDES` algorithms.
@@ -474,8 +485,8 @@ module Aws::PaymentCryptographyData
474
485
  # size unless padding is enabled.
475
486
  #
476
487
  # For information about valid keys for this operation, see
477
- # [Understanding key attributes][4] and [Key types for specific data
478
- # operations][5] in the *Amazon Web Services Payment Cryptography User
488
+ # [Understanding key attributes][5] and [Key types for specific data
489
+ # operations][6] in the *Amazon Web Services Payment Cryptography User
479
490
  # Guide*.
480
491
  #
481
492
  # **Cross-account use**: This operation can't be used across different
@@ -494,8 +505,9 @@ module Aws::PaymentCryptographyData
494
505
  # [1]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/decrypt-data.html
495
506
  # [2]: https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html
496
507
  # [3]: https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetPublicKeyCertificate.html
497
- # [4]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html
498
- # [5]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html
508
+ # [4]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/use-cases-acquirers-dynamickeys.html
509
+ # [5]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html
510
+ # [6]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html
499
511
  #
500
512
  # @option params [required, String] :key_identifier
501
513
  # The `keyARN` of the encryption key that Amazon Web Services Payment
@@ -554,6 +566,14 @@ module Aws::PaymentCryptographyData
554
566
  # wrapped_key: {
555
567
  # wrapped_key_material: { # required
556
568
  # tr_31_key_block: "Tr31WrappedKeyBlock",
569
+ # diffie_hellman_symmetric_key: {
570
+ # certificate_authority_public_key_identifier: "KeyArnOrKeyAliasType", # required
571
+ # public_key_certificate: "CertificateType", # required
572
+ # key_algorithm: "TDES_2KEY", # required, accepts TDES_2KEY, TDES_3KEY, AES_128, AES_192, AES_256
573
+ # key_derivation_function: "NIST_SP800", # required, accepts NIST_SP800, ANSI_X963
574
+ # key_derivation_hash_algorithm: "SHA_256", # required, accepts SHA_256, SHA_384, SHA_512
575
+ # shared_information: "SharedInformation", # required
576
+ # },
557
577
  # },
558
578
  # key_check_value_algorithm: "CMAC", # accepts CMAC, ANSI_X9_24
559
579
  # },
@@ -581,11 +601,24 @@ module Aws::PaymentCryptographyData
581
601
  #
582
602
  # You can generate an encryption key within Amazon Web Services Payment
583
603
  # Cryptography by calling [CreateKey][2]. You can import your own
584
- # encryption key by calling [ImportKey][3]. For this operation, the key
585
- # must have `KeyModesOfUse` set to `Encrypt`. In asymmetric encryption,
586
- # plaintext is encrypted using public component. You can import the
587
- # public component of an asymmetric key pair created outside Amazon Web
588
- # Services Payment Cryptography by calling [ImportKey][3].
604
+ # encryption key by calling [ImportKey][3].
605
+ #
606
+ # For this operation, the key must have `KeyModesOfUse` set to
607
+ # `Encrypt`. In asymmetric encryption, plaintext is encrypted using
608
+ # public component. You can import the public component of an asymmetric
609
+ # key pair created outside Amazon Web Services Payment Cryptography by
610
+ # calling [ImportKey][3].
611
+ #
612
+ # This operation also supports dynamic keys, allowing you to pass a
613
+ # dynamic encryption key as a TR-31 WrappedKeyBlock. This can be used
614
+ # when key material is frequently rotated, such as during every card
615
+ # transaction, and there is need to avoid importing short-lived keys
616
+ # into Amazon Web Services Payment Cryptography. To encrypt using
617
+ # dynamic keys, the `keyARN` is the Key Encryption Key (KEK) of the
618
+ # TR-31 wrapped encryption key material. The incoming wrapped key shall
619
+ # have a key purpose of D0 with a mode of use of B or D. For more
620
+ # information, see [Using Dynamic Keys][4] in the *Amazon Web Services
621
+ # Payment Cryptography User Guide*.
589
622
  #
590
623
  # For symmetric and DUKPT encryption, Amazon Web Services Payment
591
624
  # Cryptography supports `TDES` and `AES` algorithms. For EMV encryption,
@@ -605,8 +638,8 @@ module Aws::PaymentCryptographyData
605
638
  # your account with `KeyModesOfUse` set to `DeriveKey`.
606
639
  #
607
640
  # For information about valid keys for this operation, see
608
- # [Understanding key attributes][4] and [Key types for specific data
609
- # operations][5] in the *Amazon Web Services Payment Cryptography User
641
+ # [Understanding key attributes][5] and [Key types for specific data
642
+ # operations][6] in the *Amazon Web Services Payment Cryptography User
610
643
  # Guide*.
611
644
  #
612
645
  # **Cross-account use**: This operation can't be used across different
@@ -616,7 +649,7 @@ module Aws::PaymentCryptographyData
616
649
  #
617
650
  # * DecryptData
618
651
  #
619
- # * [GetPublicCertificate][6]
652
+ # * [GetPublicCertificate][7]
620
653
  #
621
654
  # * [ImportKey][3]
622
655
  #
@@ -627,9 +660,10 @@ module Aws::PaymentCryptographyData
627
660
  # [1]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/encrypt-data.html
628
661
  # [2]: https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_CreateKey.html
629
662
  # [3]: https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html
630
- # [4]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html
631
- # [5]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html
632
- # [6]: https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetPublicKeyCertificate.html
663
+ # [4]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/use-cases-acquirers-dynamickeys.html
664
+ # [5]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html
665
+ # [6]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html
666
+ # [7]: https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetPublicKeyCertificate.html
633
667
  #
634
668
  # @option params [required, String] :key_identifier
635
669
  # The `keyARN` of the encryption key that Amazon Web Services Payment
@@ -700,6 +734,14 @@ module Aws::PaymentCryptographyData
700
734
  # wrapped_key: {
701
735
  # wrapped_key_material: { # required
702
736
  # tr_31_key_block: "Tr31WrappedKeyBlock",
737
+ # diffie_hellman_symmetric_key: {
738
+ # certificate_authority_public_key_identifier: "KeyArnOrKeyAliasType", # required
739
+ # public_key_certificate: "CertificateType", # required
740
+ # key_algorithm: "TDES_2KEY", # required, accepts TDES_2KEY, TDES_3KEY, AES_128, AES_192, AES_256
741
+ # key_derivation_function: "NIST_SP800", # required, accepts NIST_SP800, ANSI_X963
742
+ # key_derivation_hash_algorithm: "SHA_256", # required, accepts SHA_256, SHA_384, SHA_512
743
+ # shared_information: "SharedInformation", # required
744
+ # },
703
745
  # },
704
746
  # key_check_value_algorithm: "CMAC", # accepts CMAC, ANSI_X9_24
705
747
  # },
@@ -906,7 +948,7 @@ module Aws::PaymentCryptographyData
906
948
  # session_key_derivation_mode: "EMV_COMMON_SESSION_KEY", # required, accepts EMV_COMMON_SESSION_KEY, EMV2000, AMEX, MASTERCARD_SESSION_KEY, VISA
907
949
  # session_key_derivation_value: { # required
908
950
  # application_cryptogram: "ApplicationCryptogramType",
909
- # application_transaction_counter: "HexLengthBetween2And4",
951
+ # application_transaction_counter: "HexLengthEquals4",
910
952
  # },
911
953
  # },
912
954
  # dukpt_iso_9797_algorithm_1: {
@@ -943,6 +985,173 @@ module Aws::PaymentCryptographyData
943
985
  req.send_request(options)
944
986
  end
945
987
 
988
+ # Generates an issuer script mac for EMV payment cards that use offline
989
+ # PINs as the cardholder verification method (CVM).
990
+ #
991
+ # This operation generates an authenticated issuer script response by
992
+ # appending the incoming message data (APDU command) with the target
993
+ # encrypted PIN block in ISO2 format. The command structure and method
994
+ # to send the issuer script update to the card is not defined by this
995
+ # operation and is typically determined by the applicable payment card
996
+ # scheme.
997
+ #
998
+ # The primary inputs to this operation include the incoming new
999
+ # encrypted pinblock, PIN encryption key (PEK), issuer master key (IMK),
1000
+ # primary account number (PAN), and the payment card derivation method.
1001
+ #
1002
+ # The operation uses two issuer master keys - secure messaging for
1003
+ # confidentiality (IMK-SMC) and secure messaging for integrity
1004
+ # (IMK-SMI). The SMC key is used to internally derive a key to secure
1005
+ # the pin, while SMI key is used to internally derive a key to
1006
+ # authenticate the script reponse as per the [EMV 4.4 - Book 2 -
1007
+ # Security and Key Management][1] specification.
1008
+ #
1009
+ # This operation supports Amex, EMV2000, EMVCommon, Mastercard and Visa
1010
+ # derivation methods, each requiring specific input parameters. Users
1011
+ # must follow the specific derivation method and input parameters
1012
+ # defined by the respective payment card scheme.
1013
+ #
1014
+ # <note markdown="1"> Use GenerateMac operation when sending a script update to an EMV card
1015
+ # that does not involve PIN change. When assigning IAM permissions, it
1016
+ # is important to understand that EncryptData using EMV keys and
1017
+ # GenerateMac perform similar functions to this command.
1018
+ #
1019
+ # </note>
1020
+ #
1021
+ # **Cross-account use**: This operation can't be used across different
1022
+ # Amazon Web Services accounts.
1023
+ #
1024
+ # **Related operations:**
1025
+ #
1026
+ # * EncryptData
1027
+ #
1028
+ # * GenerateMac
1029
+ #
1030
+ #
1031
+ #
1032
+ # [1]: https://www.emvco.com/specifications/
1033
+ #
1034
+ # @option params [required, String] :new_pin_pek_identifier
1035
+ # The `keyARN` of the PEK protecting the incoming new encrypted PIN
1036
+ # block.
1037
+ #
1038
+ # @option params [required, String] :new_encrypted_pin_block
1039
+ # The incoming new encrypted PIN block data for offline pin change on an
1040
+ # EMV card.
1041
+ #
1042
+ # @option params [required, String] :pin_block_format
1043
+ # The PIN encoding format of the incoming new encrypted PIN block as
1044
+ # specified in ISO 9564.
1045
+ #
1046
+ # @option params [required, String] :secure_messaging_integrity_key_identifier
1047
+ # The `keyARN` of the issuer master key (IMK-SMI) used to authenticate
1048
+ # the issuer script response.
1049
+ #
1050
+ # @option params [required, String] :secure_messaging_confidentiality_key_identifier
1051
+ # The `keyARN` of the issuer master key (IMK-SMC) used to protect the
1052
+ # PIN block data in the issuer script response.
1053
+ #
1054
+ # @option params [required, String] :message_data
1055
+ # The message data is the APDU command from the card reader or terminal.
1056
+ # The target encrypted PIN block, after translation to ISO2 format, is
1057
+ # appended to this message data to generate an issuer script response.
1058
+ #
1059
+ # @option params [required, Types::DerivationMethodAttributes] :derivation_method_attributes
1060
+ # The attributes and data values to derive payment card specific
1061
+ # confidentiality and integrity keys.
1062
+ #
1063
+ # @return [Types::GenerateMacEmvPinChangeOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1064
+ #
1065
+ # * {Types::GenerateMacEmvPinChangeOutput#new_pin_pek_arn #new_pin_pek_arn} => String
1066
+ # * {Types::GenerateMacEmvPinChangeOutput#secure_messaging_integrity_key_arn #secure_messaging_integrity_key_arn} => String
1067
+ # * {Types::GenerateMacEmvPinChangeOutput#secure_messaging_confidentiality_key_arn #secure_messaging_confidentiality_key_arn} => String
1068
+ # * {Types::GenerateMacEmvPinChangeOutput#mac #mac} => String
1069
+ # * {Types::GenerateMacEmvPinChangeOutput#encrypted_pin_block #encrypted_pin_block} => String
1070
+ # * {Types::GenerateMacEmvPinChangeOutput#new_pin_pek_key_check_value #new_pin_pek_key_check_value} => String
1071
+ # * {Types::GenerateMacEmvPinChangeOutput#secure_messaging_integrity_key_check_value #secure_messaging_integrity_key_check_value} => String
1072
+ # * {Types::GenerateMacEmvPinChangeOutput#secure_messaging_confidentiality_key_check_value #secure_messaging_confidentiality_key_check_value} => String
1073
+ # * {Types::GenerateMacEmvPinChangeOutput#visa_amex_derivation_outputs #visa_amex_derivation_outputs} => Types::VisaAmexDerivationOutputs
1074
+ #
1075
+ # @example Request syntax with placeholder values
1076
+ #
1077
+ # resp = client.generate_mac_emv_pin_change({
1078
+ # new_pin_pek_identifier: "KeyArnOrKeyAliasType", # required
1079
+ # new_encrypted_pin_block: "PinBlockLengthEquals16", # required
1080
+ # pin_block_format: "ISO_FORMAT_0", # required, accepts ISO_FORMAT_0, ISO_FORMAT_1, ISO_FORMAT_3
1081
+ # secure_messaging_integrity_key_identifier: "KeyArnOrKeyAliasType", # required
1082
+ # secure_messaging_confidentiality_key_identifier: "KeyArnOrKeyAliasType", # required
1083
+ # message_data: "CommandMessageDataType", # required
1084
+ # derivation_method_attributes: { # required
1085
+ # emv_common: {
1086
+ # major_key_derivation_mode: "EMV_OPTION_A", # required, accepts EMV_OPTION_A, EMV_OPTION_B
1087
+ # primary_account_number: "PrimaryAccountNumberType", # required
1088
+ # pan_sequence_number: "NumberLengthEquals2", # required
1089
+ # application_cryptogram: "ApplicationCryptogramType", # required
1090
+ # mode: "ECB", # required, accepts ECB, CBC
1091
+ # pin_block_padding_type: "NO_PADDING", # required, accepts NO_PADDING, ISO_IEC_7816_4
1092
+ # pin_block_length_position: "NONE", # required, accepts NONE, FRONT_OF_PIN_BLOCK
1093
+ # },
1094
+ # amex: {
1095
+ # major_key_derivation_mode: "EMV_OPTION_A", # required, accepts EMV_OPTION_A, EMV_OPTION_B
1096
+ # primary_account_number: "PrimaryAccountNumberType", # required
1097
+ # pan_sequence_number: "NumberLengthEquals2", # required
1098
+ # application_transaction_counter: "HexLengthEquals4", # required
1099
+ # authorization_request_key_identifier: "KeyArnOrKeyAliasType", # required
1100
+ # current_pin_attributes: {
1101
+ # current_pin_pek_identifier: "KeyArnOrKeyAliasType", # required
1102
+ # current_encrypted_pin_block: "PinBlockLengthEquals16", # required
1103
+ # },
1104
+ # },
1105
+ # visa: {
1106
+ # major_key_derivation_mode: "EMV_OPTION_A", # required, accepts EMV_OPTION_A, EMV_OPTION_B
1107
+ # primary_account_number: "PrimaryAccountNumberType", # required
1108
+ # pan_sequence_number: "NumberLengthEquals2", # required
1109
+ # application_transaction_counter: "HexLengthEquals4", # required
1110
+ # authorization_request_key_identifier: "KeyArnOrKeyAliasType", # required
1111
+ # current_pin_attributes: {
1112
+ # current_pin_pek_identifier: "KeyArnOrKeyAliasType", # required
1113
+ # current_encrypted_pin_block: "PinBlockLengthEquals16", # required
1114
+ # },
1115
+ # },
1116
+ # emv_2000: {
1117
+ # major_key_derivation_mode: "EMV_OPTION_A", # required, accepts EMV_OPTION_A, EMV_OPTION_B
1118
+ # primary_account_number: "PrimaryAccountNumberType", # required
1119
+ # pan_sequence_number: "NumberLengthEquals2", # required
1120
+ # application_transaction_counter: "HexLengthEquals4", # required
1121
+ # },
1122
+ # mastercard: {
1123
+ # major_key_derivation_mode: "EMV_OPTION_A", # required, accepts EMV_OPTION_A, EMV_OPTION_B
1124
+ # primary_account_number: "PrimaryAccountNumberType", # required
1125
+ # pan_sequence_number: "NumberLengthEquals2", # required
1126
+ # application_cryptogram: "ApplicationCryptogramType", # required
1127
+ # },
1128
+ # },
1129
+ # })
1130
+ #
1131
+ # @example Response structure
1132
+ #
1133
+ # resp.new_pin_pek_arn #=> String
1134
+ # resp.secure_messaging_integrity_key_arn #=> String
1135
+ # resp.secure_messaging_confidentiality_key_arn #=> String
1136
+ # resp.mac #=> String
1137
+ # resp.encrypted_pin_block #=> String
1138
+ # resp.new_pin_pek_key_check_value #=> String
1139
+ # resp.secure_messaging_integrity_key_check_value #=> String
1140
+ # resp.secure_messaging_confidentiality_key_check_value #=> String
1141
+ # resp.visa_amex_derivation_outputs.authorization_request_key_arn #=> String
1142
+ # resp.visa_amex_derivation_outputs.authorization_request_key_check_value #=> String
1143
+ # resp.visa_amex_derivation_outputs.current_pin_pek_arn #=> String
1144
+ # resp.visa_amex_derivation_outputs.current_pin_pek_key_check_value #=> String
1145
+ #
1146
+ # @see http://docs.aws.amazon.com/goto/WebAPI/payment-cryptography-data-2022-02-03/GenerateMacEmvPinChange AWS API Documentation
1147
+ #
1148
+ # @overload generate_mac_emv_pin_change(params = {})
1149
+ # @param [Hash] params ({})
1150
+ def generate_mac_emv_pin_change(params = {}, options = {})
1151
+ req = build_request(:generate_mac_emv_pin_change, params)
1152
+ req.send_request(options)
1153
+ end
1154
+
946
1155
  # Generates pin-related data such as PIN, PIN Verification Value (PVV),
947
1156
  # PIN Block, and PIN Offset during new card issuance or reissuance. For
948
1157
  # more information, see [Generate PIN data][1] in the *Amazon Web
@@ -955,9 +1164,18 @@ module Aws::PaymentCryptographyData
955
1164
  # Cryptography. This operation uses a separate Pin Verification Key
956
1165
  # (PVK) for VISA PVV generation.
957
1166
  #
1167
+ # Using ECDH key exchange, you can receive cardholder selectable PINs
1168
+ # into Amazon Web Services Payment Cryptography. The ECDH derived key
1169
+ # protects the incoming PIN block. You can also use it for reveal PIN,
1170
+ # wherein the generated PIN block is protected by the ECDH derived key
1171
+ # before transmission from Amazon Web Services Payment Cryptography. For
1172
+ # more information on establishing ECDH derived keys, see the
1173
+ # [Generating keys][2] in the *Amazon Web Services Payment Cryptography
1174
+ # User Guide*.
1175
+ #
958
1176
  # For information about valid keys for this operation, see
959
- # [Understanding key attributes][2] and [Key types for specific data
960
- # operations][3] in the *Amazon Web Services Payment Cryptography User
1177
+ # [Understanding key attributes][3] and [Key types for specific data
1178
+ # operations][4] in the *Amazon Web Services Payment Cryptography User
961
1179
  # Guide*.
962
1180
  #
963
1181
  # **Cross-account use**: This operation can't be used across different
@@ -974,8 +1192,9 @@ module Aws::PaymentCryptographyData
974
1192
  #
975
1193
  #
976
1194
  # [1]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/generate-pin-data.html
977
- # [2]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html
978
- # [3]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html
1195
+ # [2]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/create-keys.html
1196
+ # [3]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html
1197
+ # [4]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html
979
1198
  #
980
1199
  # @option params [required, String] :generation_key_identifier
981
1200
  # The `keyARN` of the PEK that Amazon Web Services Payment Cryptography
@@ -983,7 +1202,8 @@ module Aws::PaymentCryptographyData
983
1202
  #
984
1203
  # @option params [required, String] :encryption_key_identifier
985
1204
  # The `keyARN` of the PEK that Amazon Web Services Payment Cryptography
986
- # uses to encrypt the PIN Block.
1205
+ # uses to encrypt the PIN Block. For ECDH, it is the `keyARN` of the
1206
+ # asymmetric ECC key.
987
1207
  #
988
1208
  # @option params [required, Types::PinGenerationAttributes] :generation_attributes
989
1209
  # The attributes and values to use for PIN, PVV, or PIN Offset
@@ -1009,6 +1229,10 @@ module Aws::PaymentCryptographyData
1009
1229
  # The `ISO_Format_3` PIN block format is the same as `ISO_Format_0`
1010
1230
  # except that the fill digits are random values from 10 to 15.
1011
1231
  #
1232
+ # @option params [Types::WrappedKey] :encryption_wrapped_key
1233
+ # Parameter information of a WrappedKeyBlock for encryption key
1234
+ # exchange.
1235
+ #
1012
1236
  # @return [Types::GeneratePinDataOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1013
1237
  #
1014
1238
  # * {Types::GeneratePinDataOutput#generation_key_arn #generation_key_arn} => String
@@ -1056,7 +1280,21 @@ module Aws::PaymentCryptographyData
1056
1280
  # },
1057
1281
  # pin_data_length: 1,
1058
1282
  # primary_account_number: "PrimaryAccountNumberType", # required
1059
- # pin_block_format: "ISO_FORMAT_0", # required, accepts ISO_FORMAT_0, ISO_FORMAT_3
1283
+ # pin_block_format: "ISO_FORMAT_0", # required, accepts ISO_FORMAT_0, ISO_FORMAT_3, ISO_FORMAT_4
1284
+ # encryption_wrapped_key: {
1285
+ # wrapped_key_material: { # required
1286
+ # tr_31_key_block: "Tr31WrappedKeyBlock",
1287
+ # diffie_hellman_symmetric_key: {
1288
+ # certificate_authority_public_key_identifier: "KeyArnOrKeyAliasType", # required
1289
+ # public_key_certificate: "CertificateType", # required
1290
+ # key_algorithm: "TDES_2KEY", # required, accepts TDES_2KEY, TDES_3KEY, AES_128, AES_192, AES_256
1291
+ # key_derivation_function: "NIST_SP800", # required, accepts NIST_SP800, ANSI_X963
1292
+ # key_derivation_hash_algorithm: "SHA_256", # required, accepts SHA_256, SHA_384, SHA_512
1293
+ # shared_information: "SharedInformation", # required
1294
+ # },
1295
+ # },
1296
+ # key_check_value_algorithm: "CMAC", # accepts CMAC, ANSI_X9_24
1297
+ # },
1060
1298
  # })
1061
1299
  #
1062
1300
  # @example Response structure
@@ -1086,6 +1324,17 @@ module Aws::PaymentCryptographyData
1086
1324
  # this operation must be in a compatible key state with `KeyModesOfUse`
1087
1325
  # set to `Encrypt`.
1088
1326
  #
1327
+ # This operation also supports dynamic keys, allowing you to pass a
1328
+ # dynamic encryption key as a TR-31 WrappedKeyBlock. This can be used
1329
+ # when key material is frequently rotated, such as during every card
1330
+ # transaction, and there is need to avoid importing short-lived keys
1331
+ # into Amazon Web Services Payment Cryptography. To re-encrypt using
1332
+ # dynamic keys, the `keyARN` is the Key Encryption Key (KEK) of the
1333
+ # TR-31 wrapped encryption key material. The incoming wrapped key shall
1334
+ # have a key purpose of D0 with a mode of use of B or D. For more
1335
+ # information, see [Using Dynamic Keys][3] in the *Amazon Web Services
1336
+ # Payment Cryptography User Guide*.
1337
+ #
1089
1338
  # For symmetric and DUKPT encryption, Amazon Web Services Payment
1090
1339
  # Cryptography supports `TDES` and `AES` algorithms. To encrypt using
1091
1340
  # DUKPT, a DUKPT key must already exist within your account with
@@ -1093,8 +1342,8 @@ module Aws::PaymentCryptographyData
1093
1342
  # calling [CreateKey][1].
1094
1343
  #
1095
1344
  # For information about valid keys for this operation, see
1096
- # [Understanding key attributes][3] and [Key types for specific data
1097
- # operations][4] in the *Amazon Web Services Payment Cryptography User
1345
+ # [Understanding key attributes][4] and [Key types for specific data
1346
+ # operations][5] in the *Amazon Web Services Payment Cryptography User
1098
1347
  # Guide*.
1099
1348
  #
1100
1349
  # **Cross-account use**: This operation can't be used across different
@@ -1106,7 +1355,7 @@ module Aws::PaymentCryptographyData
1106
1355
  #
1107
1356
  # * EncryptData
1108
1357
  #
1109
- # * [GetPublicCertificate][5]
1358
+ # * [GetPublicCertificate][6]
1110
1359
  #
1111
1360
  # * [ImportKey][2]
1112
1361
  #
@@ -1114,9 +1363,10 @@ module Aws::PaymentCryptographyData
1114
1363
  #
1115
1364
  # [1]: https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_CreateKey.html
1116
1365
  # [2]: https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html
1117
- # [3]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html
1118
- # [4]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html
1119
- # [5]: https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetPublicKeyCertificate.html
1366
+ # [3]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/use-cases-acquirers-dynamickeys.html
1367
+ # [4]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html
1368
+ # [5]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html
1369
+ # [6]: https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetPublicKeyCertificate.html
1120
1370
  #
1121
1371
  # @option params [required, String] :incoming_key_identifier
1122
1372
  # The `keyARN` of the encryption key of incoming ciphertext data.
@@ -1192,12 +1442,28 @@ module Aws::PaymentCryptographyData
1192
1442
  # incoming_wrapped_key: {
1193
1443
  # wrapped_key_material: { # required
1194
1444
  # tr_31_key_block: "Tr31WrappedKeyBlock",
1445
+ # diffie_hellman_symmetric_key: {
1446
+ # certificate_authority_public_key_identifier: "KeyArnOrKeyAliasType", # required
1447
+ # public_key_certificate: "CertificateType", # required
1448
+ # key_algorithm: "TDES_2KEY", # required, accepts TDES_2KEY, TDES_3KEY, AES_128, AES_192, AES_256
1449
+ # key_derivation_function: "NIST_SP800", # required, accepts NIST_SP800, ANSI_X963
1450
+ # key_derivation_hash_algorithm: "SHA_256", # required, accepts SHA_256, SHA_384, SHA_512
1451
+ # shared_information: "SharedInformation", # required
1452
+ # },
1195
1453
  # },
1196
1454
  # key_check_value_algorithm: "CMAC", # accepts CMAC, ANSI_X9_24
1197
1455
  # },
1198
1456
  # outgoing_wrapped_key: {
1199
1457
  # wrapped_key_material: { # required
1200
1458
  # tr_31_key_block: "Tr31WrappedKeyBlock",
1459
+ # diffie_hellman_symmetric_key: {
1460
+ # certificate_authority_public_key_identifier: "KeyArnOrKeyAliasType", # required
1461
+ # public_key_certificate: "CertificateType", # required
1462
+ # key_algorithm: "TDES_2KEY", # required, accepts TDES_2KEY, TDES_3KEY, AES_128, AES_192, AES_256
1463
+ # key_derivation_function: "NIST_SP800", # required, accepts NIST_SP800, ANSI_X963
1464
+ # key_derivation_hash_algorithm: "SHA_256", # required, accepts SHA_256, SHA_384, SHA_512
1465
+ # shared_information: "SharedInformation", # required
1466
+ # },
1201
1467
  # },
1202
1468
  # key_check_value_algorithm: "CMAC", # accepts CMAC, ANSI_X9_24
1203
1469
  # },
@@ -1222,14 +1488,36 @@ module Aws::PaymentCryptographyData
1222
1488
  # For more information, see [Translate PIN data][1] in the *Amazon Web
1223
1489
  # Services Payment Cryptography User Guide*.
1224
1490
  #
1225
- # PIN block translation involves changing the encrytion of PIN block
1226
- # from one encryption key to another encryption key and changing PIN
1227
- # block format from one to another without PIN block data leaving Amazon
1228
- # Web Services Payment Cryptography. The encryption key transformation
1229
- # can be from PEK (Pin Encryption Key) to BDK (Base Derivation Key) for
1230
- # DUKPT or from BDK for DUKPT to PEK. Amazon Web Services Payment
1231
- # Cryptography supports `TDES` and `AES` key derivation type for DUKPT
1232
- # translations.
1491
+ # PIN block translation involves changing a PIN block from one
1492
+ # encryption key to another and optionally change its format. PIN block
1493
+ # translation occurs entirely within the HSM boundary and PIN data never
1494
+ # enters or leaves Amazon Web Services Payment Cryptography in clear
1495
+ # text. The encryption key transformation can be from PEK (Pin
1496
+ # Encryption Key) to BDK (Base Derivation Key) for DUKPT or from BDK for
1497
+ # DUKPT to PEK.
1498
+ #
1499
+ # Amazon Web Services Payment Cryptography also supports use of dynamic
1500
+ # keys and ECDH (Elliptic Curve Diffie-Hellman) based key exchange for
1501
+ # this operation.
1502
+ #
1503
+ # Dynamic keys allow you to pass a PEK as a TR-31 WrappedKeyBlock. They
1504
+ # can be used when key material is frequently rotated, such as during
1505
+ # every card transaction, and there is need to avoid importing
1506
+ # short-lived keys into Amazon Web Services Payment Cryptography. To
1507
+ # translate PIN block using dynamic keys, the `keyARN` is the Key
1508
+ # Encryption Key (KEK) of the TR-31 wrapped PEK. The incoming wrapped
1509
+ # key shall have a key purpose of P0 with a mode of use of B or D. For
1510
+ # more information, see [Using Dynamic Keys][2] in the *Amazon Web
1511
+ # Services Payment Cryptography User Guide*.
1512
+ #
1513
+ # Using ECDH key exchange, you can receive cardholder selectable PINs
1514
+ # into Amazon Web Services Payment Cryptography. The ECDH derived key
1515
+ # protects the incoming PIN block, which is translated to a PEK
1516
+ # encrypted PIN block for use within the service. You can also use ECDH
1517
+ # for reveal PIN, wherein the service translates the PIN block from PEK
1518
+ # to a ECDH derived encryption key. For more information on establishing
1519
+ # ECDH derived keys, see the [Generating keys][3] in the *Amazon Web
1520
+ # Services Payment Cryptography User Guide*.
1233
1521
  #
1234
1522
  # The allowed combinations of PIN block format translations are guided
1235
1523
  # by PCI. It is important to note that not all encrypted PIN block
@@ -1239,8 +1527,8 @@ module Aws::PaymentCryptographyData
1239
1527
  # not require a PAN for generation.
1240
1528
  #
1241
1529
  # For information about valid keys for this operation, see
1242
- # [Understanding key attributes][2] and [Key types for specific data
1243
- # operations][3] in the *Amazon Web Services Payment Cryptography User
1530
+ # [Understanding key attributes][4] and [Key types for specific data
1531
+ # operations][5] in the *Amazon Web Services Payment Cryptography User
1244
1532
  # Guide*.
1245
1533
  #
1246
1534
  # <note markdown="1"> Amazon Web Services Payment Cryptography currently supports ISO PIN
@@ -1261,21 +1549,24 @@ module Aws::PaymentCryptographyData
1261
1549
  #
1262
1550
  #
1263
1551
  # [1]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/translate-pin-data.html
1264
- # [2]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html
1265
- # [3]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html
1552
+ # [2]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/use-cases-acquirers-dynamickeys.html
1553
+ # [3]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/create-keys.html
1554
+ # [4]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html
1555
+ # [5]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html
1266
1556
  #
1267
1557
  # @option params [required, String] :incoming_key_identifier
1268
1558
  # The `keyARN` of the encryption key under which incoming PIN block data
1269
1559
  # is encrypted. This key type can be PEK or BDK.
1270
1560
  #
1271
- # When a WrappedKeyBlock is provided, this value will be the identifier
1272
- # to the key wrapping key for PIN block. Otherwise, it is the key
1273
- # identifier used to perform the operation.
1561
+ # For dynamic keys, it is the `keyARN` of KEK of the TR-31 wrapped PEK.
1562
+ # For ECDH, it is the `keyARN` of the asymmetric ECC key.
1274
1563
  #
1275
1564
  # @option params [required, String] :outgoing_key_identifier
1276
1565
  # The `keyARN` of the encryption key for encrypting outgoing PIN block
1277
1566
  # data. This key type can be PEK or BDK.
1278
1567
  #
1568
+ # For ECDH, it is the `keyARN` of the asymmetric ECC key.
1569
+ #
1279
1570
  # @option params [required, Types::TranslationIsoFormats] :incoming_translation_attributes
1280
1571
  # The format of the incoming PIN block data for translation within
1281
1572
  # Amazon Web Services Payment Cryptography.
@@ -1355,12 +1646,28 @@ module Aws::PaymentCryptographyData
1355
1646
  # incoming_wrapped_key: {
1356
1647
  # wrapped_key_material: { # required
1357
1648
  # tr_31_key_block: "Tr31WrappedKeyBlock",
1649
+ # diffie_hellman_symmetric_key: {
1650
+ # certificate_authority_public_key_identifier: "KeyArnOrKeyAliasType", # required
1651
+ # public_key_certificate: "CertificateType", # required
1652
+ # key_algorithm: "TDES_2KEY", # required, accepts TDES_2KEY, TDES_3KEY, AES_128, AES_192, AES_256
1653
+ # key_derivation_function: "NIST_SP800", # required, accepts NIST_SP800, ANSI_X963
1654
+ # key_derivation_hash_algorithm: "SHA_256", # required, accepts SHA_256, SHA_384, SHA_512
1655
+ # shared_information: "SharedInformation", # required
1656
+ # },
1358
1657
  # },
1359
1658
  # key_check_value_algorithm: "CMAC", # accepts CMAC, ANSI_X9_24
1360
1659
  # },
1361
1660
  # outgoing_wrapped_key: {
1362
1661
  # wrapped_key_material: { # required
1363
1662
  # tr_31_key_block: "Tr31WrappedKeyBlock",
1663
+ # diffie_hellman_symmetric_key: {
1664
+ # certificate_authority_public_key_identifier: "KeyArnOrKeyAliasType", # required
1665
+ # public_key_certificate: "CertificateType", # required
1666
+ # key_algorithm: "TDES_2KEY", # required, accepts TDES_2KEY, TDES_3KEY, AES_128, AES_192, AES_256
1667
+ # key_derivation_function: "NIST_SP800", # required, accepts NIST_SP800, ANSI_X963
1668
+ # key_derivation_hash_algorithm: "SHA_256", # required, accepts SHA_256, SHA_384, SHA_512
1669
+ # shared_information: "SharedInformation", # required
1670
+ # },
1364
1671
  # },
1365
1672
  # key_check_value_algorithm: "CMAC", # accepts CMAC, ANSI_X9_24
1366
1673
  # },
@@ -1468,18 +1775,18 @@ module Aws::PaymentCryptographyData
1468
1775
  # emv_common: {
1469
1776
  # primary_account_number: "PrimaryAccountNumberType", # required
1470
1777
  # pan_sequence_number: "NumberLengthEquals2", # required
1471
- # application_transaction_counter: "HexLengthBetween2And4", # required
1778
+ # application_transaction_counter: "HexLengthEquals4", # required
1472
1779
  # },
1473
1780
  # mastercard: {
1474
1781
  # primary_account_number: "PrimaryAccountNumberType", # required
1475
1782
  # pan_sequence_number: "NumberLengthEquals2", # required
1476
- # application_transaction_counter: "HexLengthBetween2And4", # required
1783
+ # application_transaction_counter: "HexLengthEquals4", # required
1477
1784
  # unpredictable_number: "HexLengthBetween2And8", # required
1478
1785
  # },
1479
1786
  # emv_2000: {
1480
1787
  # primary_account_number: "PrimaryAccountNumberType", # required
1481
1788
  # pan_sequence_number: "NumberLengthEquals2", # required
1482
- # application_transaction_counter: "HexLengthBetween2And4", # required
1789
+ # application_transaction_counter: "HexLengthEquals4", # required
1483
1790
  # },
1484
1791
  # amex: {
1485
1792
  # primary_account_number: "PrimaryAccountNumberType", # required
@@ -1702,7 +2009,7 @@ module Aws::PaymentCryptographyData
1702
2009
  # session_key_derivation_mode: "EMV_COMMON_SESSION_KEY", # required, accepts EMV_COMMON_SESSION_KEY, EMV2000, AMEX, MASTERCARD_SESSION_KEY, VISA
1703
2010
  # session_key_derivation_value: { # required
1704
2011
  # application_cryptogram: "ApplicationCryptogramType",
1705
- # application_transaction_counter: "HexLengthBetween2And4",
2012
+ # application_transaction_counter: "HexLengthEquals4",
1706
2013
  # },
1707
2014
  # },
1708
2015
  # dukpt_iso_9797_algorithm_1: {
@@ -1806,6 +2113,10 @@ module Aws::PaymentCryptographyData
1806
2113
  # @option params [Types::DukptAttributes] :dukpt_attributes
1807
2114
  # The attributes and values for the DUKPT encrypted PIN block data.
1808
2115
  #
2116
+ # @option params [Types::WrappedKey] :encryption_wrapped_key
2117
+ # Parameter information of a WrappedKeyBlock for encryption key
2118
+ # exchange.
2119
+ #
1809
2120
  # @return [Types::VerifyPinDataOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1810
2121
  #
1811
2122
  # * {Types::VerifyPinDataOutput#verification_key_arn #verification_key_arn} => String
@@ -1832,12 +2143,26 @@ module Aws::PaymentCryptographyData
1832
2143
  # },
1833
2144
  # encrypted_pin_block: "EncryptedPinBlockType", # required
1834
2145
  # primary_account_number: "PrimaryAccountNumberType", # required
1835
- # pin_block_format: "ISO_FORMAT_0", # required, accepts ISO_FORMAT_0, ISO_FORMAT_3
2146
+ # pin_block_format: "ISO_FORMAT_0", # required, accepts ISO_FORMAT_0, ISO_FORMAT_3, ISO_FORMAT_4
1836
2147
  # pin_data_length: 1,
1837
2148
  # dukpt_attributes: {
1838
2149
  # key_serial_number: "HexLengthBetween10And24", # required
1839
2150
  # dukpt_derivation_type: "TDES_2KEY", # required, accepts TDES_2KEY, TDES_3KEY, AES_128, AES_192, AES_256
1840
2151
  # },
2152
+ # encryption_wrapped_key: {
2153
+ # wrapped_key_material: { # required
2154
+ # tr_31_key_block: "Tr31WrappedKeyBlock",
2155
+ # diffie_hellman_symmetric_key: {
2156
+ # certificate_authority_public_key_identifier: "KeyArnOrKeyAliasType", # required
2157
+ # public_key_certificate: "CertificateType", # required
2158
+ # key_algorithm: "TDES_2KEY", # required, accepts TDES_2KEY, TDES_3KEY, AES_128, AES_192, AES_256
2159
+ # key_derivation_function: "NIST_SP800", # required, accepts NIST_SP800, ANSI_X963
2160
+ # key_derivation_hash_algorithm: "SHA_256", # required, accepts SHA_256, SHA_384, SHA_512
2161
+ # shared_information: "SharedInformation", # required
2162
+ # },
2163
+ # },
2164
+ # key_check_value_algorithm: "CMAC", # accepts CMAC, ANSI_X9_24
2165
+ # },
1841
2166
  # })
1842
2167
  #
1843
2168
  # @example Response structure
@@ -1874,7 +2199,7 @@ module Aws::PaymentCryptographyData
1874
2199
  tracer: tracer
1875
2200
  )
1876
2201
  context[:gem_name] = 'aws-sdk-paymentcryptographydata'
1877
- context[:gem_version] = '1.25.0'
2202
+ context[:gem_version] = '1.27.0'
1878
2203
  Seahorse::Client::Request.new(handlers, context)
1879
2204
  end
1880
2205