Decrypting Card Data Algorithm

This document explains the algorithmic process to decrypt the cardEncryptedData object.

1. Hybrid Encryption Structure

The encryption uses a hybrid approach:

RSA (asymmetric): Protects the AES key, IV, and Auth Tag.
AES-GCM (symmetric): Encrypts the actual card data.

2. Decryption Steps

Step 1: RSA Decryption

The encryptedKey is a base64-encoded string.
It contains the AES key, IV, and Auth Tag, all encrypted with the merchant's RSA public key.
The private RSA key is used to decrypt encryptedKey, yielding a buffer with:
- AES Key: First 32 bytes (256 bits)
- IV: Next 12 bytes (96 bits)
- Auth Tag: Last 16 bytes (128 bits)

Step 2: Extract AES Parameters

AES Key: Used for AES-256-GCM decryption.
IV (Initialization Vector): Required for AES-GCM.
Auth Tag: Used to verify data integrity in AES-GCM.

Step 3: AES-GCM Decryption

The encryptedData is a base64-encoded string, encrypted with AES-256-GCM.
Using the extracted AES key, IV, and Auth Tag, the data is decrypted.
The output is the original card data in JSON string format.

3. Security Notes

RSA ensures only the intended recipient can access the AES key.
AES-GCM provides both confidentiality and integrity for the card data.

4. Sample codes (in NodeJS)

import * as crypto from "crypto";
import * as fs from "fs";

const PRIVATE_KEY = fs.readFileSync(`path/to/your/private-key.pem`, "utf8");
const AES_KEY_LENGTH = 32; // 256 bits
const IV_LENGTH = 12; // 96 bits
const AUTH_TAG_LENGTH = 16; // 128 bits

function hybridDecrypt(cardEncryptedData) {
  const { encryptedData, encryptedKey } = cardEncryptedData;
  try {
    // 1. RSA Decryption
    const decryptedKeyBuf = crypto.privateDecrypt(
      {
        key: PRIVATE_KEY,
        padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
        oaepHash: "sha256"
      },
      encryptedKey
    );

    // 2. Extract AES Parameters
    const aesKey = decryptedKeyBuf.subarray(0, AES_KEY_LENGTH);
    const iv = decryptedKeyBuf.subarray(AES_KEY_LENGTH, AES_KEY_LENGTH + IV_LENGTH);
    const authTag = decryptedKeyBuf.subarray(-AUTH_TAG_LENGTH);

    // 3. AES-GCM Decryption
    const decipher = crypto.createDecipheriv("aes-256-gcm", aesKey, iv);
    decipher.setAuthTag(authTag);
    let decrypted = decipher.update(encryptedData, "base64", "utf8");
    decrypted += decipher.final("utf8");
    return decrypted;
  } catch (error) {
    console.log(`call to hybridDecrypt failed with error: ${error.message}`);
    return "{}";
  }
}

// Test with NeoX virtual card encrypted data. Replace with actual encrypted data
const cardEncryptedData = {
  encryptedData:
    "Some encryptedData data here that is base64 encoded",
  encryptedKey:
    "Some encryptedKey data here that is base64 encoded"
};

const result = hybridDecrypt(cardEncryptedData);
console.log("result", JSON.parse(result));

PreviousWebhook NextMerchant Portal

Last updated 1 day ago

Was this helpful?

2. Decryption Steps

Step 1: RSA Decryption

The encryptedKey is a base64-encoded string.

It contains the AES key, IV, and Auth Tag, all encrypted with the merchant's RSA public key.

The private RSA key is used to decrypt encryptedKey, yielding a buffer with:

AES Key: First 32 bytes (256 bits)
IV: Next 12 bytes (96 bits)
Auth Tag: Last 16 bytes (128 bits)

Step 2: Extract AES Parameters

AES Key: Used for AES-256-GCM decryption.

IV (Initialization Vector): Required for AES-GCM.

Auth Tag: Used to verify data integrity in AES-GCM.

Step 3: AES-GCM Decryption

The encryptedData is a base64-encoded string, encrypted with AES-256-GCM.

Using the extracted AES key, IV, and Auth Tag, the data is decrypted.

The output is the original card data in JSON string format.

4. Sample codes (in NodeJS)

import * as crypto from "crypto";
import * as fs from "fs";

const PRIVATE_KEY = fs.readFileSync(`path/to/your/private-key.pem`, "utf8");
const AES_KEY_LENGTH = 32; // 256 bits
const IV_LENGTH = 12; // 96 bits
const AUTH_TAG_LENGTH = 16; // 128 bits

function hybridDecrypt(cardEncryptedData) {
  const { encryptedData, encryptedKey } = cardEncryptedData;
  try {
    // 1. RSA Decryption
    const decryptedKeyBuf = crypto.privateDecrypt(
      {
        key: PRIVATE_KEY,
        padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
        oaepHash: "sha256"
      },
      encryptedKey
    );

    // 2. Extract AES Parameters
    const aesKey = decryptedKeyBuf.subarray(0, AES_KEY_LENGTH);
    const iv = decryptedKeyBuf.subarray(AES_KEY_LENGTH, AES_KEY_LENGTH + IV_LENGTH);
    const authTag = decryptedKeyBuf.subarray(-AUTH_TAG_LENGTH);

    // 3. AES-GCM Decryption
    const decipher = crypto.createDecipheriv("aes-256-gcm", aesKey, iv);
    decipher.setAuthTag(authTag);
    let decrypted = decipher.update(encryptedData, "base64", "utf8");
    decrypted += decipher.final("utf8");
    return decrypted;
  } catch (error) {
    console.log(`call to hybridDecrypt failed with error: ${error.message}`);
    return "{}";
  }
}

// Test with NeoX virtual card encrypted data. Replace with actual encrypted data
const cardEncryptedData = {
  encryptedData:
    "Some encryptedData data here that is base64 encoded",
  encryptedKey:
    "Some encryptedKey data here that is base64 encoded"
};

const result = hybridDecrypt(cardEncryptedData);
console.log("result", JSON.parse(result));