Encryption

All server to server data should be encrypted using AES-256-CBC with HMAC. Pseudo Code for encryption is explained below:

Input: plain_text Input: api_secret iv=generated random 16 byte enc_text=Encrypt plain_text Using AES-256-CBC,
api_secret & iv b_iv=Base64 Encode iv concat_string=b_iv + enc_text [Concat string] mac=Generate SHA256 Hash of concat_string using api_secret [HMAC] data_array=array of iv,
enc_text,
mac json_string=Convert data_array into Json String final_encrypted_text=Base64 Encode json_string

PHP Example

function encrypt($text, $key) {
    $iv = random_bytes(16);
    $value = openssl_encrypt(serialize($text), 'AES-256-CBC', $key, 0, $iv);
    $bIv = base64_encode($iv);
    $mac = hash_hmac('sha256', $bIv.$value, $key);
    $c_arr = ['iv' => $bIv, 'value' => $value, 'mac' => $mac];
    $json = json_encode($c_arr);
    $crypted = base64_encode($json);
    return $crypted;
}

Encryption should be done using the API Secret Key.

Note: Do not transfer or send this API Secret Key in any request. Do not share API Secret Key with anyone for security reasons.

PreviousRequest NextResponse

Last updated 4 years ago

Was this helpful?