Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Getting Error while importing 3DES 128bit key in aws payment cryptography

0

We have a specific requirement to store our 3DES 128bit key in AWS Payment Cryptography. Im using NodeJS SDK to do the needful, but getting validation error.

ERROR: ValidationException: KeyBlock data in the imported payload is invalid. So, there are 3steps of implementation: 1. Get RSA public key. 2. Wrap my 3DES 128 bit key that I have. 3. Import the key in aws payment cryptography.

Error I'm getting is might be because of Step:2, I might be making some mistake in wrapping my key. I didn't get any help anywhere other than aws document only. I'm attaching documents that Im referring which might be useful.

Documentation that I'm referring to : https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/payment-cryptography/command/ImportKeyCommand/

Any help will be most appreciated!!!!! THANK YOU!!!!

Code that I'm using to import key:

import { PaymentCryptographyClient, GetParametersForImportCommand, ImportKeyCommand } from "@aws-sdk/client-payment-cryptography";
import crypto, { publicEncrypt} from "crypto"; // To wrap the key

const client = new PaymentCryptographyClient({
    region: "ap-southeast-1", credentials: {
        accessKeyId: "", // replace with your AWS Access Key ID
        secretAccessKey: "" // replace with your AWS Secret Access Key
    }
});

async function import3DESKey() {
    try {
        // Step 1: Get import parameters
        const getParamsInput = {
            KeyMaterialType: "KEY_CRYPTOGRAM",
            WrappingKeyAlgorithm: "RSA_2048" // Ensure this matches the actual wrapping algorithm
        };
        const getParamsCommand = new GetParametersForImportCommand(getParamsInput);
        const getParamsResponse = await client.send(getParamsCommand);
        console.log({ getParamsResponse });
        
        const { ImportToken, WrappingKeyCertificate } = getParamsResponse;

        // Step 2: Prepare key wrapping
        const threeDESKey = Buffer.from("404142434445464748494A4B4C4D4E4F", "hex");

        // Decode the wrapping key certificate
        const wrappingCertPem = Buffer.from(WrappingKeyCertificate, "base64").toString("utf8");

        // Wrap the 3DES key using the RSA public key from the certificate
        const wrappedKey = publicEncrypt({
            key: wrappingCertPem,
            // padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,// Double-check if OAEP or PKCS1 padding is expected by AWS
            padding: crypto.constants.RSA_PKCS1_PADDING,// Double-check if OAEP or PKCS1 padding is expected by AWS
        }, threeDESKey);

        // Convert wrapped key to base64 format (AWS often expects base64)
        // const wrappedKeyBase64 = wrappedKey.toString("base64");

        // // Convert wrapped key to hex format
        const wrappedKeyHex = wrappedKey.toString("hex").toUpperCase();
       

        // Step 3: Import the wrapped key
        const importKeyInput = {
            KeyMaterial: {
                KeyCryptogram: {
                    KeyAttributes: {
                        KeyUsage: "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY",
                        KeyClass: "SYMMETRIC_KEY",
                        KeyAlgorithm: "TDES_2KEY",
                        KeyModesOfUse: {
                            NoRestrictions:true
                        },
                    },
                    Exportable: false, // Depending on your requirement
                    // WrappedKeyCryptogram: wrappedKeyBase64, // Hex format of the wrapped key
                    WrappedKeyCryptogram: wrappedKeyHex, // Hex format of the wrapped key
                    ImportToken: ImportToken,
                },
            },
            KeyCheckValueAlgorithm: "ANSI_X9_24", // Typically used for 3DES
            Enabled: true,
        };

        const importKeyCommand = new ImportKeyCommand(importKeyInput);
        const response = await client.send(importKeyCommand);
        console.log("Imported Key ARN:", response.Key.KeyArn);

    } catch (error) {
        console.error("Error importing key:", error);
    }
}

import3DESKey();
Topics
Financial ServicesSecurity, Identity, & Compliance
Tags
AWS Payment Cryptography
Language
English
asked a year ago302 views
2 Answers
0

It sounds like you're having trouble with importing your 3DES key into AWS Payment Cryptography due to a validation error related to key wrapping. The issue could be with how you're handling the RSA public key certificate or the format of the wrapped key.

Make sure the RSA certificate you're using is in the correct PEM format and that you're applying the right padding scheme—AWS documentation should confirm whether PKCS1 or OAEP is needed. You might also want to try converting the wrapped key to base64, as this is often the format expected by AWS services.

Double-check your key attributes to ensure they align with what AWS expects for 3DES keys. If these adjustments don't resolve the issue, you might want to consult the AWS documentation again or reach out to AWS support for more specific guidance.

EXPERT
answered a year ago
0

Triple DES isn't considered secure for any use nowadays, but its keys are 168 bits long, not 128. The dummy key in your code contains 128 bits, so it isn't a valid triple DES key.

EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content