Encryption
All server to server data should be encrypted using AES-256-CBC with HMAC. Pseudo Code for encryption is explained below:
Input: plain_text Input: api_secret iv=generated random 16 byte enc_text=Encrypt plain_text Using AES-256-CBC,
api_secret & iv b_iv=Base64 Encode iv concat_string=b_iv + enc_text [Concat string] mac=Generate SHA256 Hash of concat_string using api_secret [HMAC] data_array=array of iv,
enc_text,
mac json_string=Convert data_array into Json String final_encrypted_text=Base64 Encode json_string
function encrypt($text, $key) {
$iv = random_bytes(16);
$value = openssl_encrypt(serialize($text), 'AES-256-CBC', $key, 0, $iv);
$bIv = base64_encode($iv);
$mac = hash_hmac('sha256', $bIv.$value, $key);
$c_arr = ['iv' => $bIv, 'value' => $value, 'mac' => $mac];
$json = json_encode($c_arr);
$crypted = base64_encode($json);
return $crypted;
}
Encryption should be done using the API Secret Key.
Note: Do not transfer or send this API Secret Key in any request. Do not share API Secret Key with anyone for security reasons.
Last modified 3yr ago