Initial Key(KEK) exchange

In AS2805, each side has their own KEK. KEK(s) refers to the sending side key that will be used whenever the sending side needs to protect/wrap keys and send them to node2. KEK(r) is the key created by the opposite(node2) side.

Note

These terms are relative - one side creates a key (sending side) and the other side receives it. So given KEY1, it is referred to on node1 as KEK(s) and on node2 as KEK(r).

KEK for AS2805 are always key type = TR31_K0_KEY_ENCRYPTION_KEY as they are used to protect cryptograms and not key blocks. This maps to TERMINAL_MAJOR_KEY_VARIANT_00 as defined in AS2805 6.1

Steps:

1.Create a key: Create a key using the CreateKey api. You will create a key of type TR31_K0_KEY_ENCRYPTION_KEY
2.Determine method to exchange keys with node2: Determine how to exchange KEK with the counter party. For AS2805, the most common and interoperable method is RSA Wrap.
3.Export KEKs: Based on your selection above, you will receive public key certificate from node2. You will run export using that certificate to protect the key (or derive a key if using ECDH).
4. Import KEKr: Based on your selection above, you will send a public key certificate to node2. You will run import using that certificate to to load node 2's KEKr into the service.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AS2805

Validation of KEK