Payload encryption - MLE
In order to enhance the security level of sensitive CHD information Cardtokens requires private-/public key RSA encryption of the payload to and from Cardtokens. This is also called Message Level Encryption (MLE). The payload is encrypted in the following scenarios:
- When request payload is transmitted from the client to Cardtokens
- When response is received from Cardtokens to the client.
- When notifications are transmitted from Cardtokens to the client.
That means that all communication from the client to Cardtokens must be encrypted using a public key issued by Cardtokens. The content can then be decrypted by Cardtokens using the private key.
That also means that all communications from Cardtokens to the client is encrypted using a public key issued by the client, which can be decrypted by the private key generated.
Generation of the keys
To generate a RSA private and public key openssl can be used by the following commands.
Create private key for communication from Cardtokens to the client
This private key is used to decrypt data received from Cardtokens.
openssl genrsa -out private-key.pem 4096
Create public key for communication from Cardtokens to the client
This public key must be sent to Cardtokens, which will encrypt all data transmitted to the client using this public key.
openssl rsa -in private-key.pem -pubout -out public-key.pem
Encryption algorithm
The payload is encrypted using RSA and the padding scheme from PKCS #1 v1.5
Response formatting
The complete response when receiving encrypted data from Cardtokens is formatted as JSON. The encrypted data is placed in the parameter named “encdata”. The parameter contains the encrypted JSON response base64 formatted. That means the encdata parameter must be base64 decoded before decryption is made.
Encrypt example
In order to encrypt a file using the public key, which can be decrypted using the private key:
openssl rsautl -encrypt -inkey public-key.pem -pubin -in plain-text.txt -out encrypted-content.enc
Steps for encrypting
- Transform the JSON object to a JSON string
- Encrypt the JSON string using the public key
- Encode the binary encrypted string to base64
- Create a new JSON object with a single root attribute only named “encdata”
- Set the value to encdata to the base64 encoded string, which contains the encrypted payload.
- Send the JSON request to Cardtokens.
Decrypt example
If the encdata is base64 decoded and stored in a fiale named encrypteddata.bin, the data is decrypted using the private key pem formatted as:
openssl rsautl -decrypt -inkey private-key.pem -in encrypteddata.bin
Steps for decrypting
- Past the JSON payload
- Locate the parameter named “encdata” in the response / payload.
- Base64 decode the encdata parameter value.
- Decrypt the base64 decoded data using the private key
- Parse the decrypted JSON data
- Process the decrypted parameters.
Example encrypted payload
The example below shows how the JSON request is formatted using the encrypted payload:
{
"encdata":"TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBpc2NpbmcgZWxpdCwgc2VkIGRvIGVpdXNtb2QgdGVtcG9yIGl
uY2lkaWR1bnQgdXQgbGFib3JlIGV0IGRvbG9yZSBtYWduYSBhbGlxdWEuIFV0IGVuaW0gYWQgbWluaW0gdmVuaWFtLCBxdWlzIG5vc3RydWQgZXh
lcmNpdGF0aW9uIHVsbGFtY28gbGFib3JpcyBuaXNpIHV0IGFsaXF1aXAgZXggZWEgY29tbW9kbyBjb25zZXF1YXQuIER1aXMgYXV0ZSBpcnVyZSBkb2x
vciBpbiByZXByZWhlbmRlcml0IGluIHZvbHVwdGF0ZSB2ZWxpdCBlc3NlIGNpbGx1bSBkb2xvcmUgZXUgZnVnaWF0IG51bGxhIHBhcmlhdHVyLiBFeGN
lcHRldXIgc2ludCBvY2NhZWNhdCBjdXBpZGF0YXQgbm9uIHByb2lkZW50LCBzdW50IGluIGN1bHBhIHF1aSBvZmZpY2lhIGRlc2VydW50IG1vbGxpdCB
hbmltIGlkIGVzdCBsYWJvcnVtLg=="
}
Example of decrypted payload
The example below shows what the encrypted payload looks like when the encdata value is decrypted.
{
"pan": "4571233011221122",
"expmonth": "01",
"expyear": "2096",
"merchantid": "361ec97b904d406d90d2df47e2f5f955"
}
Key exchange
The public RSA key is handed over to Cardtokens by secure transmission using PGP. Send the key encrypted to CTO: thomas@cardtokens.io.
The public key needs to be encrypted using the following PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: User-ID: Thomas Knudsen thomas@cardtokens.io
Comment: Created: 21/09/2022 09.19
Comment: Expires: 21/09/2024 12.00
Comment: Type: 255-bit EdDSA (secret key available)
Comment: Usage: Signing, Encryption, Certifying User-Ids
Comment: Fingerprint: 9475015A4B311E92584A76CC3FE2678B6F23527A
mDMEYyq7AxYJKwYBBAHaRw8BAQdA/E917/9pKpRue1W8M4YkVhsJFH7M5HYI77mD
qqVKani0JVRob21hcyBLbnVkc2VuIDx0aG9tYXNAY2FyZHRva2Vucy5pbz6ImQQT
FgoAQRYhBJR1AVpLMR6SWEp2zD/iZ4tvI1J6BQJjKrsDAhsDBQkDw94dBQsJCAcC
AiICBhUKCQgLAgQWAgMBAh4HAheAAAoJED/iZ4tvI1J6PxgA/2LeYCSnmcLFnXWO
BVcAAcBDQWtBSLnriZr20rM5Paa3AQC19oymNqb77e0lq0CNLU18PrO/+ZNILUZz
YZBKUzZzArg4BGMquwMSCisGAQQBl1UBBQEBB0B0vQif+cmHBNehvHa79CFwbpwC
gaEug4s50cEIEsFESwMBCAeIfgQYFgoAJhYhBJR1AVpLMR6SWEp2zD/iZ4tvI1J6
BQJjKrsDAhsMBQkDw94dAAoJED/iZ4tvI1J6SQkA/2OmDb7A+vkLEkQXi3dUISb6
CV5hRjkBiknF8K8L/0sFAQC9cELlZ3OgsPcHUsTGWpVKtOgxqzbKQ0EEyA7K1hLE
Cw==
=gy4M
-----END PGP PUBLIC KEY BLOCK-----