ReEncryptData - AWS Payment Cryptography Data Plane

ReEncryptData

Re-encrypt ciphertext using DUKPT or Symmetric data encryption keys.

You can either generate an encryption key within AWS Payment Cryptography by calling CreateKey or import your own encryption key by calling ImportKey. The KeyArn for use with this operation must be in a compatible key state with KeyModesOfUse set to Encrypt.

This operation also supports dynamic keys, allowing you to pass a dynamic encryption key as a TR-31 WrappedKeyBlock. This can be used when key material is frequently rotated, such as during every card transaction, and there is need to avoid importing short-lived keys into AWS Payment Cryptography. To re-encrypt using dynamic keys, the keyARN is the Key Encryption Key (KEK) of the TR-31 wrapped encryption key material. The incoming wrapped key shall have a key purpose of D0 with a mode of use of B or D. For more information, see Using Dynamic Keys in the AWS Payment Cryptography User Guide.

For symmetric and DUKPT encryption, AWS Payment Cryptography supports TDES and AES algorithms. To encrypt using DUKPT, a DUKPT key must already exist within your account with KeyModesOfUse set to DeriveKey or a new DUKPT can be generated by calling CreateKey.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the AWS Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different AWS accounts.

Related operations:

Request Syntax

POST /keys/IncomingKeyIdentifier/reencrypt HTTP/1.1 Content-type: application/json { "CipherText": "string", "IncomingEncryptionAttributes": { ... }, "IncomingWrappedKey": { "KeyCheckValueAlgorithm": "string", "WrappedKeyMaterial": { ... } }, "OutgoingEncryptionAttributes": { ... }, "OutgoingKeyIdentifier": "string", "OutgoingWrappedKey": { "KeyCheckValueAlgorithm": "string", "WrappedKeyMaterial": { ... } } }

URI Request Parameters

The request uses the following URI parameters.

IncomingKeyIdentifier

The keyARN of the encryption key of incoming ciphertext data.

When a WrappedKeyBlock is provided, this value will be the identifier to the key wrapping key. Otherwise, it is the key identifier used to perform the operation.

Length Constraints: Minimum length of 7. Maximum length of 322.

Pattern: arn:aws:payment-cryptography:[a-z]{2}-[a-z]{1,16}-[0-9]+:[0-9]{12}:(key/[0-9a-zA-Z]{16,64}|alias/[a-zA-Z0-9/_-]+)$|^alias/[a-zA-Z0-9/_-]+

Required: Yes

Request Body

The request accepts the following data in JSON format.

CipherText

Ciphertext to be encrypted. The minimum allowed length is 16 bytes and maximum allowed length is 4096 bytes.

Type: String

Length Constraints: Minimum length of 2. Maximum length of 4096.

Pattern: (?:[0-9a-fA-F][0-9a-fA-F])+

Required: Yes

IncomingEncryptionAttributes

The attributes and values for incoming ciphertext.

Type: ReEncryptionAttributes object

Note: This object is a Union. Only one member of this object can be specified or returned.

Required: Yes

IncomingWrappedKey

The WrappedKeyBlock containing the encryption key of incoming ciphertext data.

Type: WrappedKey object

Required: No

OutgoingEncryptionAttributes

The attributes and values for outgoing ciphertext data after encryption by AWS Payment Cryptography.

Type: ReEncryptionAttributes object

Note: This object is a Union. Only one member of this object can be specified or returned.

Required: Yes

OutgoingKeyIdentifier

The keyARN of the encryption key of outgoing ciphertext data after encryption by AWS Payment Cryptography.

Type: String

Length Constraints: Minimum length of 7. Maximum length of 322.

Pattern: arn:aws:payment-cryptography:[a-z]{2}-[a-z]{1,16}-[0-9]+:[0-9]{12}:(key/[0-9a-zA-Z]{16,64}|alias/[a-zA-Z0-9/_-]+)$|^alias/[a-zA-Z0-9/_-]+

Required: Yes

OutgoingWrappedKey

The WrappedKeyBlock containing the encryption key of outgoing ciphertext data after encryption by AWS Payment Cryptography.

Type: WrappedKey object

Required: No

Response Syntax

HTTP/1.1 200 Content-type: application/json { "CipherText": "string", "KeyArn": "string", "KeyCheckValue": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

CipherText

The encrypted ciphertext.

Type: String

Length Constraints: Minimum length of 2. Maximum length of 4096.

Pattern: (?:[0-9a-fA-F][0-9a-fA-F])+

KeyArn

The keyARN (Amazon Resource Name) of the encryption key that AWS Payment Cryptography uses for plaintext encryption.

Type: String

Length Constraints: Minimum length of 70. Maximum length of 150.

Pattern: arn:aws:payment-cryptography:[a-z]{2}-[a-z]{1,16}-[0-9]+:[0-9]{12}:key/[0-9a-zA-Z]{16,64}

KeyCheckValue

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

AWS Payment Cryptography computes the KCV according to the CMAC specification.

Type: String

Length Constraints: Minimum length of 4. Maximum length of 16.

Pattern: [0-9a-fA-F]+

Errors

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 403

InternalServerException

The request processing has failed because of an unknown error, exception, or failure.

HTTP Status Code: 500

ResourceNotFoundException

The request was denied due to an invalid resource error.

HTTP Status Code: 404

ThrottlingException

The request was denied due to request throttling.

HTTP Status Code: 429

ValidationException

The request was denied due to an invalid request error.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: