DecryptData - AWS Payment Cryptography Data Plane
Request SyntaxURI Request ParametersRequest BodyResponse SyntaxResponse ElementsErrorsSee Also

DecryptData

Decrypts ciphertext data to plaintext using a symmetric (TDES, AES), asymmetric (RSA), or derived (DUKPT or EMV) encryption key scheme. For more information, see Decrypt data in the AWS Payment Cryptography User Guide.

You can use an decryption key generated within AWS Payment Cryptography, or you can import your own decryption key by calling ImportKey. For this operation, the key must have KeyModesOfUse set to Decrypt. In asymmetric decryption, AWS Payment Cryptography decrypts the ciphertext using the private component of the asymmetric encryption key pair. For data encryption outside of AWS Payment Cryptography, you can export the public component of the asymmetric key pair by calling GetPublicCertificate.

This operation also supports dynamic keys, allowing you to pass a dynamic decryption key as a TR-31 WrappedKeyBlock. This can be used when key material is frequently rotated, such as during every card transaction, and there is need to avoid importing short-lived keys into AWS Payment Cryptography. To decrypt using dynamic keys, the keyARN is the Key Encryption Key (KEK) of the TR-31 wrapped decryption key material. The incoming wrapped key shall have a key purpose of D0 with a mode of use of B or D. For more information, see Using Dynamic Keys in the AWS Payment Cryptography User Guide.

For symmetric and DUKPT decryption, AWS Payment Cryptography supports TDES and AES algorithms. For EMV decryption, AWS Payment Cryptography supports TDES algorithms. For asymmetric decryption, AWS Payment Cryptography supports RSA.

When you use TDES or TDES DUKPT, the ciphertext data length must be a multiple of 8 bytes. For AES or AES DUKPT, the ciphertext data length must be a multiple of 16 bytes. For RSA, it sould be equal to the key size unless padding is enabled.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the AWS Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different AWS accounts.

Related operations:

Request Syntax

POST /keys/KeyIdentifier/decrypt HTTP/1.1
Content-type: application/json

{
   "CipherText": "string",
   "DecryptionAttributes": { ... },
   "WrappedKey": { 
      "KeyCheckValueAlgorithm": "string",
      "WrappedKeyMaterial": { ... }
   }
}

URI Request Parameters

The request uses the following URI parameters.

KeyIdentifier

The keyARN of the encryption key that AWS Payment Cryptography uses for ciphertext decryption.

When a WrappedKeyBlock is provided, this value will be the identifier to the key wrapping key. Otherwise, it is the key identifier used to perform the operation.

Length Constraints: Minimum length of 7. Maximum length of 322.

Pattern: arn:aws:payment-cryptography:[a-z]{2}-[a-z]{1,16}-[0-9]+:[0-9]{12}:(key/[0-9a-zA-Z]{16,64}|alias/[a-zA-Z0-9/_-]+)$|^alias/[a-zA-Z0-9/_-]+

Required: Yes

Request Body

The request accepts the following data in JSON format.

CipherText

The ciphertext to decrypt.

Type: String

Length Constraints: Minimum length of 2. Maximum length of 4096.

Pattern: (?:[0-9a-fA-F][0-9a-fA-F])+

Required: Yes

DecryptionAttributes

The encryption key type and attributes for ciphertext decryption.

Type: EncryptionDecryptionAttributes object

Note: This object is a Union. Only one member of this object can be specified or returned.

Required: Yes

WrappedKey

The WrappedKeyBlock containing the encryption key for ciphertext decryption.

Type: WrappedKey object

Required: No

Response Syntax

HTTP/1.1 200
Content-type: application/json

{
   "KeyArn": "string",
   "KeyCheckValue": "string",
   "PlainText": "string"
}

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

KeyArn

The keyARN of the encryption key that AWS Payment Cryptography uses for ciphertext decryption.

Type: String

Length Constraints: Minimum length of 70. Maximum length of 150.

Pattern: arn:aws:payment-cryptography:[a-z]{2}-[a-z]{1,16}-[0-9]+:[0-9]{12}:key/[0-9a-zA-Z]{16,64}

KeyCheckValue

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

AWS Payment Cryptography computes the KCV according to the CMAC specification.

Type: String

Length Constraints: Minimum length of 4. Maximum length of 16.

Pattern: [0-9a-fA-F]+

PlainText

The decrypted plaintext data in hexBinary format.

Type: String

Length Constraints: Minimum length of 2. Maximum length of 4096.

Pattern: (?:[0-9a-fA-F][0-9a-fA-F])+

Errors

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 403

InternalServerException

The request processing has failed because of an unknown error, exception, or failure.

HTTP Status Code: 500

ResourceNotFoundException

The request was denied due to an invalid resource error.

HTTP Status Code: 404

ThrottlingException

The request was denied due to request throttling.

HTTP Status Code: 429

ValidationException

The request was denied due to an invalid request error.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: