:doc:`PaymentCryptographyDataPlane <../../payment-cryptography-data>` / Client / generate_as2805_kek_validation

******************************
generate_as2805_kek_validation
******************************



.. py:method:: PaymentCryptographyDataPlane.Client.generate_as2805_kek_validation(**kwargs)

  

  Establishes node-to-node initialization between payment processing nodes such as an acquirer, issuer or payment network using Australian Standard 2805 (AS2805).

   

  During node-to-node initialization, both communicating nodes must validate that they possess the correct Key Encrypting Keys (KEKs) before proceeding with session key exchange. In AS2805, the sending KEK (KEKs) of one node corresponds to the receiving KEK (KEKr) of its partner node. Each node uses its KEK to encrypt and decrypt session keys exchanged between the nodes. A KEK can be created or imported into Amazon Web Services Payment Cryptography using either the `CreateKey <https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_CreateKey.html>`__ or `ImportKey <https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html>`__ operations.

   

  The node initiating communication can use ``GenerateAS2805KekValidation`` to generate a combined KEK validation request and KEK validation response to send to the partnering node for validation. When invoked, the API internally generates a random sending key encrypted under KEKs and provides a receiving key encrypted under KEKr as response. The initiating node sends the response returned by this API to its partner for validation.

   

  For information about valid keys for this operation, see `Understanding key attributes <https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html>`__ and `Key types for specific data operations <https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html>`__ in the *Amazon Web Services Payment Cryptography User Guide*.

   

  **Cross-account use**: This operation can't be used across different Amazon Web Services accounts.

  

  See also: `AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/payment-cryptography-data-2022-02-03/GenerateAs2805KekValidation>`_  


  **Request Syntax**
  ::

    response = client.generate_as2805_kek_validation(
        KeyIdentifier='string',
        KekValidationType={
            'KekValidationRequest': {
                'DeriveKeyAlgorithm': 'TDES_2KEY'|'TDES_3KEY'|'AES_128'|'AES_192'|'AES_256'|'HMAC_SHA256'|'HMAC_SHA384'|'HMAC_SHA512'|'HMAC_SHA224'
            },
            'KekValidationResponse': {
                'RandomKeySend': 'string'
            }
        },
        RandomKeySendVariantMask='VARIANT_MASK_82C0'|'VARIANT_MASK_82'
    )
    
  :type KeyIdentifier: string
  :param KeyIdentifier: **[REQUIRED]** 

    The ``keyARN`` of sending KEK that Amazon Web Services Payment Cryptography uses for node-to-node initialization

    

  
  :type KekValidationType: dict
  :param KekValidationType: **[REQUIRED]** 

    Parameter information for generating a random key for KEK validation to perform node-to-node initialization.

    .. note::    This is a Tagged Union structure. Only one of the     following top level keys can be set: ``KekValidationRequest``, ``KekValidationResponse``. 

  
    - **KekValidationRequest** *(dict) --* 

      Parameter information for generating a KEK validation request during node-to-node initialization.

      

    
      - **DeriveKeyAlgorithm** *(string) --* **[REQUIRED]** 

        The key derivation algorithm to use for generating a KEK validation request.

        

      
    
    - **KekValidationResponse** *(dict) --* 

      Parameter information for generating a KEK validation response during node-to-node initialization.

      

    
      - **RandomKeySend** *(string) --* **[REQUIRED]** 

        The random key for generating a KEK validation response.

        

      
    
  
  :type RandomKeySendVariantMask: string
  :param RandomKeySendVariantMask: **[REQUIRED]** 

    The key variant to use for generating a random key for KEK validation during node-to-node initialization.

    

  
  
  :rtype: dict
  :returns: 
    
    **Response Syntax**

    
    ::

      {
          'KeyArn': 'string',
          'KeyCheckValue': 'string',
          'RandomKeySend': 'string',
          'RandomKeyReceive': 'string'
      }
      
    **Response Structure**

    

    - *(dict) --* 
      

      - **KeyArn** *(string) --* 

        The ``keyARN`` of sending KEK that Amazon Web Services Payment Cryptography validates for node-to-node initialization

        
      

      - **KeyCheckValue** *(string) --* 

        The key check value (KCV) of the sending KEK that Amazon Web Services Payment Cryptography validates for node-to-node initialization.

        
      

      - **RandomKeySend** *(string) --* 

        The random key generated for sending KEK validation.

        
      

      - **RandomKeyReceive** *(string) --* 

        The random key generated for receiving KEK validation. The initiating node sends this key to its partner node for validation.

        
  
  **Exceptions**
  
  *   :py:class:`PaymentCryptographyDataPlane.Client.exceptions.ValidationException`

  
  *   :py:class:`PaymentCryptographyDataPlane.Client.exceptions.AccessDeniedException`

  
  *   :py:class:`PaymentCryptographyDataPlane.Client.exceptions.ResourceNotFoundException`

  
  *   :py:class:`PaymentCryptographyDataPlane.Client.exceptions.ThrottlingException`

  
  *   :py:class:`PaymentCryptographyDataPlane.Client.exceptions.InternalServerException`

  