API Documentation
NeoX documents
NeoX documents
  • Introduction
  • NeoX App
    • E-Wallet
    • eKYC
    • Functionality
  • Payment Gateway
    • Payment Methods
    • Integrations
      • Hosted Checkout
        • Plugin/Extenstion
        • iOS SDK
        • Android SDK
        • React Native SDK
        • Web SDK
        • APIs
      • Direct API
        • Tokenization
      • Refund
        • APIs
        • IPN
    • Transaction Management
      • Query DR
      • Cancel
      • IPN
      • Error Codes
      • Refund on portal
    • Reconciliation
    • Settlement
  • Disbursement
    • Integration
      • Introduction
      • How To Register
      • Security Method
      • Generate token API
      • Get merchant profile API
      • Request disbursement API
      • Get disbursement transaction API
      • Get exchange rate API
      • Inquiry bank account API
      • Currency conversion API
      • Event Notification
      • Response Data Structure
      • Error codes
    • Disbursement Account
    • Disbursement request
    • Transaction Management
      • Query Request/Transaction
      • Webhook
      • Error Codes
    • Reconciliation
  • Collections
    • Integration
      • Introduction
      • How To Register
      • Security Method
      • API authenPlatform
      • API upload file
      • APIs for virtual accounts management
        • API create list of virtual accounts
        • API update KYC virtual account information
        • API update Virtual Account transaction data from merchant
        • API set active/inactive Virtual Account
        • API get list virtual accounts
        • API get detail virtual account
      • APIs for transactions management
        • API update transaction documents
        • API get list transactions
        • API get detail transaction
      • APIs for refund requests management
        • API create refund request
        • API get list refund requests
        • API get detail refund request
      • APIs for withdraw requests management
        • API get list withdraw banks
        • API create withdraw request
        • API get list withdraw requests
        • API get detail withdraw request
      • Event Notification
      • SFTP upload document file of collection transaction
      • Error Codes
    • Virtual Account Management
      • Virtual Account
      • Virtual Account Status
      • Webhook
    • Transaction Management
      • Webhook
    • Transaction Status Management
      • Webhook
    • Refund Request Management
      • Webhook
    • Withdraw Request Management
      • Webhook
    • Reconciliation
    • Settlement
  • Virtual Card
    • API authenPlatform
    • Error Codes
    • Virtual Card Policy Management
      • API Create Card Policy
      • API Get Detail Card Policy
      • API Get List Card Policies
      • API Set Active Card Policy
      • API Update Card Policy
    • Virtual Card Management
      • Virtual Card APIs
        • API Create Virtual Card
        • API Create List Virtual Cards
        • API Get List Virtual Cards
        • API Get Detail Virtual Card
        • API Get Virtual Card Sensitive Data
        • API Set Active Virtual Card
      • Webhook
      • Decrypting Card Data Algorithm
  • Merchant Portal
    • Onboarding
    • Payment Gateway
      • Reconciliation
      • Withdraw
    • Disbursement
      • Reports
    • Collections
      • Reports
      • Withdraw
Powered by GitBook
On this page
  • 1. Hybrid Encryption Structure
  • 2. Decryption Steps
  • Step 1: RSA Decryption
  • Step 2: Extract AES Parameters
  • Step 3: AES-GCM Decryption
  • 3. Security Notes
  • 4. Sample codes (in NodeJS)

Was this helpful?

  1. Virtual Card
  2. Virtual Card Management

Decrypting Card Data Algorithm

This document explains the algorithmic process to decrypt the cardEncryptedData object.


1. Hybrid Encryption Structure

The encryption uses a hybrid approach:

  • RSA (asymmetric): Protects the AES key, IV, and Auth Tag.

  • AES-GCM (symmetric): Encrypts the actual card data.


2. Decryption Steps

Step 1: RSA Decryption

  • The encryptedKey is a base64-encoded string.

  • It contains the AES key, IV, and Auth Tag, all encrypted with the merchant's RSA public key.

  • The private RSA key is used to decrypt encryptedKey, yielding a buffer with:

    • AES Key: First 32 bytes (256 bits)

    • IV: Next 12 bytes (96 bits)

    • Auth Tag: Last 16 bytes (128 bits)

Step 2: Extract AES Parameters

  • AES Key: Used for AES-256-GCM decryption.

  • IV (Initialization Vector): Required for AES-GCM.

  • Auth Tag: Used to verify data integrity in AES-GCM.

Step 3: AES-GCM Decryption

  • The encryptedData is a base64-encoded string, encrypted with AES-256-GCM.

  • Using the extracted AES key, IV, and Auth Tag, the data is decrypted.

  • The output is the original card data in JSON string format.


3. Security Notes

  • RSA ensures only the intended recipient can access the AES key.

  • AES-GCM provides both confidentiality and integrity for the card data.


4. Sample codes (in NodeJS)

import * as crypto from "crypto";
import * as fs from "fs";

const PRIVATE_KEY = fs.readFileSync(`path/to/your/private-key.pem`, "utf8");
const AES_KEY_LENGTH = 32; // 256 bits
const IV_LENGTH = 12; // 96 bits
const AUTH_TAG_LENGTH = 16; // 128 bits

function hybridDecrypt(cardEncryptedData) {
  const { encryptedData, encryptedKey } = cardEncryptedData;
  try {
    // 1. RSA Decryption
    const decryptedKeyBuf = crypto.privateDecrypt(
      {
        key: PRIVATE_KEY,
        padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
        oaepHash: "sha256"
      },
      encryptedKey
    );

    // 2. Extract AES Parameters
    const aesKey = decryptedKeyBuf.subarray(0, AES_KEY_LENGTH);
    const iv = decryptedKeyBuf.subarray(AES_KEY_LENGTH, AES_KEY_LENGTH + IV_LENGTH);
    const authTag = decryptedKeyBuf.subarray(-AUTH_TAG_LENGTH);

    // 3. AES-GCM Decryption
    const decipher = crypto.createDecipheriv("aes-256-gcm", aesKey, iv);
    decipher.setAuthTag(authTag);
    let decrypted = decipher.update(encryptedData, "base64", "utf8");
    decrypted += decipher.final("utf8");
    return decrypted;
  } catch (error) {
    console.log(`call to hybridDecrypt failed with error: ${error.message}`);
    return "{}";
  }
}

// Test with NeoX virtual card encrypted data. Replace with actual encrypted data
const cardEncryptedData = {
  encryptedData:
    "Some encryptedData data here that is base64 encoded",
  encryptedKey:
    "Some encryptedKey data here that is base64 encoded"
};

const result = hybridDecrypt(cardEncryptedData);
console.log("result", JSON.parse(result));

PreviousWebhookNextMerchant Portal

Last updated 1 day ago

Was this helpful?