Decrypting Card Data Algorithm
This document explains the algorithmic process to decrypt the cardEncryptedData
object.
1. Hybrid Encryption Structure
The encryption uses a hybrid approach:
RSA (asymmetric): Protects the AES key, IV, and Auth Tag.
AES-GCM (symmetric): Encrypts the actual card data.
2. Decryption Steps
Step 1: RSA Decryption
The
encryptedKey
is a base64-encoded string.It contains the AES key, IV, and Auth Tag, all encrypted with the merchant's RSA public key.
The private RSA key is used to decrypt
encryptedKey
, yielding a buffer with:AES Key: First 32 bytes (256 bits)
IV: Next 12 bytes (96 bits)
Auth Tag: Last 16 bytes (128 bits)
Step 2: Extract AES Parameters
AES Key: Used for AES-256-GCM decryption.
IV (Initialization Vector): Required for AES-GCM.
Auth Tag: Used to verify data integrity in AES-GCM.
Step 3: AES-GCM Decryption
The
encryptedData
is a base64-encoded string, encrypted with AES-256-GCM.Using the extracted AES key, IV, and Auth Tag, the data is decrypted.
The output is the original card data in JSON string format.
3. Security Notes
RSA ensures only the intended recipient can access the AES key.
AES-GCM provides both confidentiality and integrity for the card data.
4. Sample codes (in NodeJS)
Last updated
Was this helpful?