Security
Encryption Methodology:
This application uses 2 ways public key encryption which means CAMS will share the public key of CAMS and in turn expect the client system to share public key from the client end. Data is encrypted using AES Encryption uses the following parameters:
Initialization Vector Size: 128 Bits
Key Size: 256 Bits
Padding: PKCS7
Cipher: CBC Whenever the AES encrypted data is passed, the AES Initialization Vector and key are to be encrypted using CAMS public key (2048 bits/SHA256) and sent along with data. To ensure integrity of data, a SHA-256 hash of the data is sent in an encrypted format along with the encrypted data.
Steps for Encryption:
To encrypt and send data, the sender must follow the steps below:
Generate a random 128-bit Initialization Vector and random 256-bit AES Key.
Convert both the IV and AES Key as a Base64 string and concatenate them separated by pipe (|) symbol.
Using the public key (of the recipient), perform asymmetric encryption (RSA) of the string obtained in step 2 and Bas64 encode the same. This will give "Key".
Using the Initialization Vector and AES Key generated in step1, perform AES-256 encryption of the data (use parameters as mentioned in the “Encryption Methodology” Section) and convert the same as a Base64 string. This will give "Data".
Compute the SHA-256 hash of the plain request data as a Hexadecimal String.
Using the Initialization Vector and AES Key generated in step1, perform AES-256 encryption of the hash (use parameters as mentioned in the “Encryption Methodology” Section) and convert the same as a Base64 String. This will give "Hash".
Decryption Methodology:
CAMS will send the response data to client in encrypted manner. Data is decrypted using AES Decryption uses the following parameters:
Initialization Vector Size: 128 Bits
Key Size: 256 Bits
Padding: PKCS7
Cipher: CBC Whenever the AES decrypted data is passed, the AES Initialization Vector and key are to be decrypted using client private key (2048 bits/SHA256) which will received along with response data.
To ensure integrity of data, a SHA-256 hash of the data is sent in an encrypted format along with the encrypted data.
Steps to Decryption:
The process of decryption of an AES ciphertext is similar to the encryption process in the reverse order. So, when encrypted data is received, the receiver must use the following steps to decrypt and use the data. To decrypt the response data, receiver must follow the steps below:
Use RSA Private Key to decrypt "Key" and get the AES Initialization Vector and AES Key which will be in a pipe (|) delimited Base64 encoded string.
Split the string obtained in Step 1 by using pipe (|) symbol and Base64 decoding of each string (IV & AES Key).
Perform Base64 decoding of "Data" and use the Initialization Vector and Key obtained in the above step to perform AES decryption of "Data". This will give the actual data for use.
Similarly perform Base64 decoding of "Hash" and use the Initialization Vector and Key obtained in the above step to perform AES decryption of "Hash". This will give the SHA-256 hash of the un-encrypted data as Hexadecimal String.
Compute the SHA-256 hash of the string obtained in Step 3 as a Hexadecimal String.
Match each of the string (obtained in Step 4 and Step 5) to ensure data integrity before proceeding further activities.
Last updated