本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 建立金鑰
您可以使用 **CreateKey** API 操作建立 AWS 付款密碼編譯金鑰。建立金鑰時,您可以指定屬性,例如金鑰演算法、金鑰用量、允許的操作,以及是否可以匯出。您無法在建立 AWS 付款密碼編譯金鑰後變更這些屬性。
**注意**
如果 已啟用多區域金鑰複寫, AWS 帳戶 且您建立付款密碼編譯金鑰,則此金鑰會自動成為[主要區域金鑰 (PRK)](terminology.md#term.prk)。即使您未在 **CreateKey**命令中指定 `--replication-regions` 參數,仍會複寫 PRK。如需詳細資訊,請參閱[多區域金鑰複寫的運作方式](keys-multi-region-replication.md#how-mrr-works)。
**Topics**
+ [建立 3KEY TDES 基礎衍生金鑰](#3des-deriv-mrr-example)
+ [為 CVV/CVV2 建立 2KEY TDES 金鑰](#cvvkey-example)
+ [建立 HMAC 金鑰](#hmac-example)
+ [建立 AES-256 金鑰](#aes-example)
+ [建立 PIN 加密金鑰 (PEK)](#pekkey-example)
+ [建立非對稱 (RSA) 金鑰](#asymmetrickey-example)
+ [建立 PIN 驗證值 (PVV) 金鑰](#pvv-example)
+ [建立非對稱 ECC 金鑰](#ECDH-example)
## 建立 3KEY TDES 基礎衍生金鑰
**Example**
此命令會建立 3KEY TDES 衍生金鑰,並[複寫](keys-multi-region-replication.md#how-mrr-works)至美國東部 (俄亥俄) 和美國西部 (奧勒岡) 區域。回應包含佇列參數、後續呼叫的 Amazon Resource Name (ARN),以及金鑰檢查值 (KCV)。
```
$ aws payment-cryptography create-key --exportable --key-attributes \
"KeyUsage=TR31_B0_BASE_DERIVATION_KEY, \
KeyClass=SYMMETRIC_KEY,KeyAlgorithm=TDES_3KEY, \
KeyModesOfUse={NoRestrictions=true}" \
--replication-regions us-east-2 --region us-west-2
```
輸出範例:
```
{
"Key": {
"CreateTimestamp": "2022-10-26T16:04:11.642000-07:00",
"Enabled": true,
"Exportable": true,
"KeyArn": "FE23D3",
"KeyAttributes": {
"KeyAlgorithm": "TDES_3KEY",
"KeyClass": "SYMMETRIC_KEY",
"KeyModesOfUse": {
"Decrypt": false,
"DeriveKey": true,
"Encrypt": false,
"Generate": false,
"NoRestrictions": false,
"Sign": false,
"Unwrap": false,
"Verify": true,
"Wrap": false
},
"KeyUsage": "TR31_B0_BASE_DERIVATION_KEY"
},
"KeyCheckValue": "FE23D3",
"KeyCheckValueAlgorithm": "ANSI_X9_24",
"KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY",
"KeyState": "CREATE_COMPLETE",
"UsageStartTimestamp": "2022-10-26T16:04:11.559000-07:00"
}
```
## 為 CVV/CVV2 建立 2KEY TDES 金鑰
**Example**
此命令會建立 2KEY TDES 金鑰來產生和驗證 CVV/CVV2 值。回應包含請求參數、後續呼叫的 Amazon Resource Name (ARN),以及金鑰檢查值 (KCV)。
```
$ aws payment-cryptography create-key --exportable --key-attributes KeyAlgorithm=TDES_2KEY, \
KeyUsage=TR31_C0_CARD_VERIFICATION_KEY,KeyClass=SYMMETRIC_KEY, \
KeyModesOfUse='{Generate=true,Verify=true}'
```
輸出範例:
```
{
"Key": {
"CreateTimestamp": "2022-10-26T16:04:11.642000-07:00",
"Enabled": true,
"Exportable": true,
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/7f7g4spf3xcklhzu",
"KeyAttributes": {
"KeyAlgorithm": "TDES_2KEY",
"KeyClass": "SYMMETRIC_KEY",
"KeyModesOfUse": {
"Decrypt": false,
"DeriveKey": false,
"Encrypt": false,
"Generate": true,
"NoRestrictions": false,
"Sign": false,
"Unwrap": false,
"Verify": true,
"Wrap": false
},
"KeyUsage": "TR31_C0_CARD_VERIFICATION_KEY"
},
"KeyCheckValue": "AEA5CD",
"KeyCheckValueAlgorithm": "ANSI_X9_24",
"KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY",
"KeyState": "CREATE_COMPLETE",
"UsageStartTimestamp": "2022-10-26T16:04:11.559000-07:00"
}
}
```
## 建立 HMAC 金鑰
**Example**
HMAC 金鑰用於產生或驗證雜湊訊息驗證碼 (HMAC)。使用 HMAC 金鑰時,雜湊類型會在建立金鑰時指派 (例如 HMAC\$1SHA224 和 HMAC\$1SHA512),且無法修改。
```
$ aws payment-cryptography create-key --exportable --key-attributes KeyAlgorithm=HMAC_SHA512,KeyUsage=TR31_M7_HMAC_KEY,KeyClass=SYMMETRIC_KEY,KeyModesOfUse='{Generate = true,Verify = true}'
```
輸出範例:
```
{
"Key": {
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/qnobl5lghrzunce6",
"KeyAttributes": {
"KeyUsage": "TR31_M7_HMAC_KEY",
"KeyClass": "SYMMETRIC_KEY",
"KeyAlgorithm": "HMAC_SHA512",
"KeyModesOfUse": {
"Encrypt": false,
"Decrypt": false,
"Wrap": false,
"Unwrap": false,
"Generate": true,
"Sign": false,
"Verify": true,
"DeriveKey": false,
"NoRestrictions": false
}
},
"KeyCheckValue": "2976E7",
"KeyCheckValueAlgorithm": "HMAC",
"Enabled": true,
"Exportable": true,
"KeyState": "CREATE_COMPLETE",
"KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY",
"CreateTimestamp": "2025-07-30T10:06:12.142000-07:00",
"UsageStartTimestamp": "2025-07-30T10:06:12.128000-07:00"
}
}
```
## 建立 AES-256 金鑰
**Example**
此命令會建立用於資料加密和解密的 AES-256 對稱金鑰。AES 金鑰為敏感資料提供強式加密,通常用於付款處理,以加密持卡人資料和其他敏感資訊,但 TDES 更常用於發行者使用案例,例如 EMV。
```
$ aws payment-cryptography create-key --exportable --key-attributes KeyAlgorithm=AES_256,KeyUsage=TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY,KeyClass=SYMMETRIC_KEY,KeyModesOfUse='{Encrypt=true,Decrypt=true,Wrap=true,Unwrap=true}'
```
輸出範例:
```
{
"Key": {
"CreateTimestamp": "2025-02-02T10:15:30.142000-08:00",
"Enabled": true,
"Exportable": true,
"KeyArn": "arn:aws:payment-cryptography:us-east-1:111122223333:key/kwapwa6qaifllw2h",
"KeyAttributes": {
"KeyAlgorithm": "AES_256",
"KeyClass": "SYMMETRIC_KEY",
"KeyModesOfUse": {
"Decrypt": true,
"DeriveKey": false,
"Encrypt": true,
"Generate": false,
"NoRestrictions": false,
"Sign": false,
"Unwrap": true,
"Verify": false,
"Wrap": true
},
"KeyUsage": "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY"
},
"KeyCheckValue": "2976F5",
"KeyCheckValueAlgorithm": "CMAC",
"KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY",
"KeyState": "CREATE_COMPLETE",
"UsageStartTimestamp": "2025-02-02T10:15:30.128000-08:00"
}
}
```
## 建立 PIN 加密金鑰 (PEK)
**Example**
此命令會建立 3KEY TDES 金鑰來加密 PIN 值,但 PIN 金鑰也可以是 AES,視您對互通性的需求而定。您可以使用此金鑰在驗證期間安全地存放 PINs 或解密 PINs,例如在交易中。回應包含請求參數、後續呼叫的 ARN,以及 KCV。
```
$ aws payment-cryptography create-key --exportable --key-attributes \
KeyAlgorithm=TDES_3KEY,KeyUsage=TR31_P0_PIN_ENCRYPTION_KEY, \
KeyClass=SYMMETRIC_KEY,KeyModesOfUse='{Encrypt=true,Decrypt=true,Wrap=true,Unwrap=true}'
```
輸出範例:
```
{
"Key": {
"CreateTimestamp": "2022-10-27T08:27:51.795000-07:00",
"Enabled": true,
"Exportable": true,
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/ivi5ksfsuplneuyt",
"KeyAttributes": {
"KeyAlgorithm": "TDES_3KEY",
"KeyClass": "SYMMETRIC_KEY",
"KeyModesOfUse": {
"Decrypt": true,
"DeriveKey": false,
"Encrypt": true,
"Generate": false,
"NoRestrictions": false,
"Sign": false,
"Unwrap": true,
"Verify": false,
"Wrap": true
},
"KeyUsage": "TR31_P0_PIN_ENCRYPTION_KEY"
},
"KeyCheckValue": "7CC9E2",
"KeyCheckValueAlgorithm": "ANSI_X9_24",
"KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY",
"KeyState": "CREATE_COMPLETE",
"UsageStartTimestamp": "2022-10-27T08:27:51.753000-07:00"
}
}
```
## 建立非對稱 (RSA) 金鑰
**Example**
此命令會產生新的非對稱 RSA 2048 位元金鑰對。它會建立新的私有金鑰及其相符的公有金鑰。您可以使用 [getPublicCertificate](keys.getpubliccertificate-example.md) API 擷取公有金鑰。
```
$ aws payment-cryptography create-key --exportable \
--key-attributes KeyAlgorithm=RSA_2048,KeyUsage=TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION, \
KeyClass=ASYMMETRIC_KEY_PAIR,KeyModesOfUse='{Encrypt=true, Decrypt=True,Wrap=True,Unwrap=True}'
```
輸出範例:
```
{
"Key": {
"CreateTimestamp": "2022-11-15T11:15:42.358000-08:00",
"Enabled": true,
"Exportable": true,
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/nsq2i3mbg6sn775f",
"KeyAttributes": {
"KeyAlgorithm": "RSA_2048",
"KeyClass": "ASYMMETRIC_KEY_PAIR",
"KeyModesOfUse": {
"Decrypt": true,
"DeriveKey": false,
"Encrypt": true,
"Generate": false,
"NoRestrictions": false,
"Sign": false,
"Unwrap": true,
"Verify": false,
"Wrap": true
},
"KeyUsage": "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION"
},
"KeyCheckValue": "40AD487F",
"KeyCheckValueAlgorithm": "SHA-1",
"KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY",
"KeyState": "CREATE_COMPLETE",
"UsageStartTimestamp": "2022-11-15T11:15:42.182000-08:00"
}
}
```
## 建立 PIN 驗證值 (PVV) 金鑰
**Example**
此命令會建立 3KEY TDES 金鑰來產生 PVV 值。您可以使用此金鑰來產生 PVV,以便與後續計算的 PVV 進行比較。回應包含請求參數、後續呼叫的 ARN,以及 KCV。
```
$ aws payment-cryptography create-key --exportable \
--key-attributes KeyAlgorithm=TDES_3KEY,KeyUsage=TR31_V2_VISA_PIN_VERIFICATION_KEY, \
KeyClass=SYMMETRIC_KEY,KeyModesOfUse='{Generate=true,Verify=true}'
```
輸出範例:
```
{
"Key": {
"CreateTimestamp": "2022-10-27T10:22:59.668000-07:00",
"Enabled": true,
"Exportable": true,
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/37y2tsl45p5zjbh2",
"KeyAttributes": {
"KeyAlgorithm": "TDES_3KEY",
"KeyClass": "SYMMETRIC_KEY",
"KeyModesOfUse": {
"Decrypt": false,
"DeriveKey": false,
"Encrypt": false,
"Generate": true,
"NoRestrictions": false,
"Sign": false,
"Unwrap": false,
"Verify": true,
"Wrap": false
},
"KeyUsage": "TR31_V2_VISA_PIN_VERIFICATION_KEY"
},
"KeyCheckValue": "7F2363",
"KeyCheckValueAlgorithm": "ANSI_X9_24",
"KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY",
"KeyState": "CREATE_COMPLETE",
"UsageStartTimestamp": "2022-10-27T10:22:59.614000-07:00"
}
}
```
## 建立非對稱 ECC 金鑰
**Example**
此命令會產生 ECC 金鑰對,用於在雙方之間建立 ECDH (Elliptic Curve Diffie-Hellman) 金鑰協議。使用 ECDH,每一方都會產生自己的 ECC 金鑰對,其中包含金鑰用途 K3 和使用 X 的模式,並交換公有金鑰。雙方接著會使用其私有金鑰和收到的公有金鑰來建立共用衍生金鑰。
若要在付款中維護密碼編譯金鑰的單次使用原則,建議您不要將 ECC 金鑰對重複使用多個用途,例如 ECDH 金鑰衍生和簽署。
```
$ aws payment-cryptography create-key --exportable \
--key-attributes KeyAlgorithm=ECC_NIST_P256,KeyUsage=TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT, \
KeyClass=ASYMMETRIC_KEY_PAIR,KeyModesOfUse='{DeriveKey=true}'
```
輸出範例:
```
{
"Key": {
"CreateTimestamp": "2024-10-17T01:31:55.908000+00:00",
"Enabled": true,
"Exportable": true,
"KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/wc3rjsssguhxtilv",
"KeyAttributes": {
"KeyAlgorithm": "ECC_NIST_P256",
"KeyClass": "ASYMMETRIC_KEY_PAIR",
"KeyModesOfUse": {
"Decrypt": false,
"DeriveKey": true,
"Encrypt": false,
"Generate": false,
"NoRestrictions": false,
"Sign": false,
"Unwrap": false,
"Verify": false,
"Wrap": false
},
"KeyUsage": "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT"
},
"KeyCheckValue": "7E34F19F",
"KeyCheckValueAlgorithm": "SHA-1",
"KeyOrigin": "AWS_PAYMENT_CRYPTOGRAPHY",
"KeyState": "CREATE_COMPLETE",
"UsageStartTimestamp": "2024-10-17T01:31:55.866000+00:00"
}
}
```