Skip to main content
This guide explains how to set up encryption and decryption between an OFI and a BFI during the RFI process so that a file can be passed securely. This encryption varies from the method used to encrypt JSON communications between OFI and BFI, but shares some features. For compactness, files are encrypted using AES, and then the key is encrypted using JWE. Both are then transmitted to the BFI for a two-stage decryption process. In the CPN system, the OFI encrypts a payload with a randomly generated AES key. This key is then encrypted with the BFI’s public key using JSON Web Encryption. The encrypted AES key and encrypted file payload are transmitted to the BFI. The BFI decrypts the AES key using their private JWK and uses it to decrypt the file contents.

Steps

The following sections describe the steps necessary to encrypt a file sent from an OFI to a BFI through the RFI endpoint.

Step 1: Generate a random 128-bit AES key

Using your chosen implementation language, generate a random 128-bit AES key for AES-128-GCM encryption.
Java

Step 2: Generate a 12-byte IV

Using your chosen implementation language, generate a 12-byte IV.
Java

Step 3: Encrypt the file contents

Encrypt the file contents using AES-128-GCM using the key and IV from the previous steps.
Java

Step 4: Encrypt the AES key

Using the JWK data from the quote response, encrypt the AES key that was used to encrypt the file contents with the following parameters using JWE:
  • Algorithm: ECDH-ES+A128KW
  • Encryption method: A128GCM
Java

Step 5: Transmit the encrypted payload

After performing the encryption steps from the previous steps, you should have three components:
  • The AES-encrypted file content
  • The JWE string containing the encrypted AES key
  • The base64-encoded 12-byte IV
Use these components to create a multipart/form-data request to the upload RFI file endpoint. A 200 response from the API indicates that the encryption was performed correctly and the BFI can decrypt the file’s contents.
Important: Don’t manually set the Content-Type header. Let your HTTP client library set it automatically. The header must include a boundary parameter like:
Text
If you manually set Content-Type: multipart/form-data, the request will fail.
Java
An example request body is shown below:
Text