本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
產生金鑰
您可以使用 CreateKey API Word操作建立 AWS 付款密碼編譯金鑰。在此過程中,您將指定金鑰或結果輸出的各種屬性,例如金鑰演算法 (例如 TDES_3KEY)、 KeyUsage (例如 TR31_P0_PIN_ENCRYPTION_KEY)、允許的操作 (例如加密、簽署),以及是否可匯出。建立 AWS 付款密碼編譯金鑰後,您無法變更這些屬性。
產生 2KEY TDES 金鑰
此命令會產生 2KEY TDES 金鑰,用於產生和驗證 CVV/CVV2 值。回應會回傳請求參數,包括用於後續呼叫的 ARN 以及 KCV (金鑰檢查值)。
$aws payment-cryptography create-key --exportable --key-attributes KeyAlgorithm=TDES_2KEY,\ KeyUsage=TR31_C0_CARD_VERIFICATION_KEY,KeyClass=SYMMETRIC_KEY, \ KeyModesOfUse='{Generate=true,Verify=true}'
{ "Key": { "CreateTimestamp": "2022-10-26T16:04:11.642000-07:00", "Enabled": true, "Exportable": true, "KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/hjprdg5o4jtgs5tw", "KeyAttributes": { "KeyAlgorithm": "TDES_2KEY", "KeyClass": "SYMMETRIC_KEY", "KeyModesOfUse": { "Decrypt": false, "DeriveKey": false, "Encrypt": false, "Generate": true, "NoRestrictions": false, "Sign": false, "Unwrap": false, "Verify": true, "Wrap": false }, "KeyUsage": "TR31_C0_CARD_VERIFICATION_KEY" }, "KeyCheckValue": "B72F", "KeyCheckValueAlgorithm": "ANSI_X9_24", "KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY", "KeyState": "CREATE_COMPLETE", "UsageStartTimestamp": "2022-10-26T16:04:11.559000-07:00" } }
產生 Pin 加密金鑰
範例 產生 Pin 加密金鑰 (PEK)
此命令會產生 3KEY TDES 金鑰,用於加密 PIN 值 (稱為 Pin 加密金鑰)。此金鑰可用於保護儲存 PINs 的安全,或在驗證嘗試期間提供的 PINs 解密,例如交易期間。回應會回傳請求參數,包括用於後續呼叫的 ARN 以及 KCV (金鑰檢查值)。
$aws payment-cryptography create-key --exportable --key-attributes \ KeyAlgorithm=TDES_3KEY,KeyUsage=TR31_P0_PIN_ENCRYPTION_KEY, \ KeyClass=SYMMETRIC_KEY,/ KeyModesOfUse='{Encrypt=true,Decrypt=true,Wrap=true,Unwrap=true}'
{ "Key": { "CreateTimestamp": "2022-10-27T08:27:51.795000-07:00", "Enabled": true, "Exportable": true, "KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/kwapwa6qaifllw2h", "KeyAttributes": { "KeyAlgorithm": "TDES_3KEY", "KeyClass": "SYMMETRIC_KEY", "KeyModesOfUse": { "Decrypt": true, "DeriveKey": false, "Encrypt": true, "Generate": false, "NoRestrictions": false, "Sign": false, "Unwrap": true, "Verify": false, "Wrap": true }, "KeyUsage": "TR31_P0_PIN_ENCRYPTION_KEY" }, "KeyCheckValue": "9CA6", "KeyCheckValueAlgorithm": "ANSI_X9_24", "KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY", "KeyState": "CREATE_COMPLETE", "UsageStartTimestamp": "2022-10-27T08:27:51.753000-07:00" } }
建立非對稱 (RSA) 金鑰
在此範例中,我們將產生新的非對稱 RSA 2048 位元金鑰對。將產生新的私有金鑰以及相符的公有金鑰。您可以使用 getPublicCertificate 擷取公有金鑰API。
$aws payment-cryptography create-key --exportable \ --key-attributes KeyAlgorithm=RSA_2048,KeyUsage=TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION, \ KeyClass=ASYMMETRIC_KEY_PAIR,KeyModesOfUse='{Encrypt=true, Decrypt=True,Wrap=True,Unwrap=True}'
{ "Key": { "CreateTimestamp": "2022-11-15T11:15:42.358000-08:00", "Enabled": true, "Exportable": true, "KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/nsq2i3mbg6sn775f", "KeyAttributes": { "KeyAlgorithm": "RSA_2048", "KeyClass": "ASYMMETRIC_KEY_PAIR", "KeyModesOfUse": { "Decrypt": true, "DeriveKey": false, "Encrypt": true, "Generate": false, "NoRestrictions": false, "Sign": false, "Unwrap": true, "Verify": false, "Wrap": true }, "KeyUsage": "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION" }, "KeyCheckValue": "40AD487F", "KeyCheckValueAlgorithm": "CMAC", "KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY", "KeyState": "CREATE_COMPLETE", "UsageStartTimestamp": "2022-11-15T11:15:42.182000-08:00" } }
產生 PIN 驗證值 (PVV) 金鑰
此命令會產生 3KEY TDES 金鑰,用於產生 PVV 值 (稱為 Pin 驗證值)。您可以使用此金鑰產生 PVV 值,以便與後續計算的 PVV 進行比較。回應會回傳請求參數,包括用於後續呼叫的 ARN 以及 KCV (金鑰檢查值)。
$aws payment-cryptography create-key --exportable/ --key-attributes KeyAlgorithm=TDES_3KEY,KeyUsage=TR31_V2_VISA_PIN_VERIFICATION_KEY,/ KeyClass=SYMMETRIC_KEY,KeyModesOfUse='{Generate=true,Verify=true}'
{ "Key": { "CreateTimestamp": "2022-10-27T10:22:59.668000-07:00", "Enabled": true, "Exportable": true, "KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/j4u4cmnzkelhc6yb", "KeyAttributes": { "KeyAlgorithm": "TDES_3KEY", "KeyClass": "SYMMETRIC_KEY", "KeyModesOfUse": { "Decrypt": false, "DeriveKey": false, "Encrypt": false, "Generate": true, "NoRestrictions": false, "Sign": false, "Unwrap": false, "Verify": true, "Wrap": false }, "KeyUsage": "TR31_V2_VISA_PIN_VERIFICATION_KEY" }, "KeyCheckValue": "5132", "KeyCheckValueAlgorithm": "ANSI_X9_24", "KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY", "KeyState": "CREATE_COMPLETE", "UsageStartTimestamp": "2022-10-27T10:22:59.614000-07:00" } }
產生非對稱 ECC 金鑰
此命令會產生 ECC 金鑰對,目的是透過從公有私有金鑰對中取得共用金鑰,在兩方之間建立 ECDH (Elliptic Curve Diffie-Hellman) 金鑰協議。使用 ECDH 時,各方都會產生自己的 ECC 金鑰對,其中包含金鑰用途 K3 和使用模式 X,並交換公有金鑰。雙方接著會使用其私有金鑰和收到的公有金鑰來建立共用衍生金鑰。
為了維持付款中密碼編譯金鑰的單次使用原則,建議不要重複使用 ECC 金鑰對進行多種用途,例如 ECDH 金鑰衍生和簽署。
$aws payment-cryptography create-key --exportable/ --key-attributes KeyAlgorithm=ECC_NIST_P256,KeyUsage=TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT,/ KeyClass=ASYMMETRIC_KEY_PAIR,KeyModesOfUse='{DeriveKey=true}'
{ "Key": { "CreateTimestamp": "2024-10-17T01:31:55.908000+00:00", "Enabled": true, "Exportable": true, "KeyArn": "arn:aws:payment-cryptography:us-west-2:075556953750:key/xzydvquw6ejfxnwq", "KeyAttributes": { "KeyAlgorithm": "ECC_NIST_P256", "KeyClass": "ASYMMETRIC_KEY_PAIR", "KeyModesOfUse": { "Decrypt": false, "DeriveKey": true, "Encrypt": false, "Generate": false, "NoRestrictions": false, "Sign": false, "Unwrap": false, "Verify": false, "Wrap": false }, "KeyUsage": "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT" }, "KeyCheckValue": "7E34F19F", "KeyCheckValueAlgorithm": "CMAC", "KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY", "KeyState": "CREATE_COMPLETE", "UsageStartTimestamp": "2024-10-17T01:31:55.866000+00:00" } }
