1e41f4b71Sopenharmony_ci# HUKS Changelog 2e41f4b71Sopenharmony_ci 3e41f4b71Sopenharmony_ciOpenHarmony 4.0.6.1 has the following changes. 4e41f4b71Sopenharmony_ci 5e41f4b71Sopenharmony_ci## cl.huks.1 Change of the Permission for Using attestKeyItem 6e41f4b71Sopenharmony_ci 7e41f4b71Sopenharmony_ciThe **attestKeyItem** interface attests a key using a public key encapsulated based on the device certificate chain. Any arbitrary export of the device certificate increases the risks on user privacy. Therefore, certain permissions are required for using this interface. 8e41f4b71Sopenharmony_ci 9e41f4b71Sopenharmony_ci**Change Impact** 10e41f4b71Sopenharmony_ci 11e41f4b71Sopenharmony_ciApplications without the **ohos.permission.ACCESS_IDS** permission or the system_basic or system_core permission cannot call **attestKeyItem()**. 12e41f4b71Sopenharmony_ci 13e41f4b71Sopenharmony_ci**Key API/Component Changes** 14e41f4b71Sopenharmony_ci 15e41f4b71Sopenharmony_ci- Involved APIs: 16e41f4b71Sopenharmony_ci 17e41f4b71Sopenharmony_ci attestKeyItem(keyAlias: string, options: HuksOptions, callback: AsyncCallback\<HuksReturnResult\>): void; 18e41f4b71Sopenharmony_ci attestKeyItem(keyAlias: string, options: HuksOptions): Promise\<HuksReturnResult\>; 19e41f4b71Sopenharmony_ci 20e41f4b71Sopenharmony_ci- Before change: 21e41f4b71Sopenharmony_ci 22e41f4b71Sopenharmony_ci The AccessToken permission is verified only for the applications that pass in a tag related to **ATTESTATION_ID**. 23e41f4b71Sopenharmony_ci 24e41f4b71Sopenharmony_ci 25e41f4b71Sopenharmony_ci- After change: 26e41f4b71Sopenharmony_ci 27e41f4b71Sopenharmony_ci **attestKeyItem()** can be called only by a system application with the system_basic or system_core permission or an application with the **ohos.permission.ACCESS_IDS** permission. 28e41f4b71Sopenharmony_ci 29e41f4b71Sopenharmony_ci**Adaptation Guide** 30e41f4b71Sopenharmony_ci 31e41f4b71Sopenharmony_ciApplications with the system_basic or system_core permission can call **attestKeyItem()**. If an application with the normal permission needs to call **attestKeyItem()**, it must have the **ohos.permission.ACCESS_IDS** permission. For details about how to apply for the permission, see [ACL](../../../application-dev/security/accesstoken-overview.md#acl). 32e41f4b71Sopenharmony_ci 33e41f4b71Sopenharmony_ci## cl.huks.2 Resolved the Issues in Storage or Export of Derived or Agreed Keys 34e41f4b71Sopenharmony_ci 35e41f4b71Sopenharmony_ciBefore the change, the HUKS supports storage and export of derived keys and agreed keys, which poses security risks. 36e41f4b71Sopenharmony_ci 37e41f4b71Sopenharmony_ciAfter the change, the application needs to pass in **HuksKeyStorageType** for key derivation or key agreement. Only storage or export is allowed at a time. If this parameter is not passed in, both storage and export are supported by default, which poses security risks and is not recommended. 38e41f4b71Sopenharmony_ci 39e41f4b71Sopenharmony_ci**Change Impact** 40e41f4b71Sopenharmony_ci 41e41f4b71Sopenharmony_ciBehaviors of released JavaScript APIs have been changed. 42e41f4b71Sopenharmony_ci 43e41f4b71Sopenharmony_ci**Key API/Component Changes** 44e41f4b71Sopenharmony_ci 45e41f4b71Sopenharmony_ciReleased JavaScript APIs remain unchanged, but the parameter set passed to the APIs are changed. 46e41f4b71Sopenharmony_ci 47e41f4b71Sopenharmony_ci**Adaptation Guide** 48e41f4b71Sopenharmony_ci 49e41f4b71Sopenharmony_ciFor more information, see [HUKS Development](../../../application-dev/security/huks-guidelines.md) and [HUKS](../../../application-dev/reference/apis/js-apis-huks.md). 50