Skip to main content
This guide explains how to set up encryption and decryption between an OFI and a BFI so that messages can be passed securely during payment flow. CPN uses JSON Web Encryption (JWE) for encrypting data in a secure and compact manner. This encryption is implemented after a quote is accepted: the JWK data and public key for encryption are shared in the quote response. The encryption is also used when communicating RFI data. Both OFI and BFI can implement this encryption system in any programming language that supports the required primitives. This encryption scheme is required when performing the following tasks in CPN:
  • Creating a payment: for encrypting the travel rule and beneficiary account data
  • Submitting an RFI: for encrypting the RFI JSON response
Note: If your RFI response includes a file, that file is encrypted in a different manner.
Regardless of the language used to implement the encryption, the following parameters must be followed:
  • Key agreement: ECDH-ES+A128KW
  • Encryption method: A128-GCM

Steps

The following sections describe the steps necessary to encrypt a message sent from an OFI to a BFI. Note that this example uses beneficiary account data and travel rule data, but the same encryption scheme applies for RFI data as well.

Step 1: Retrieve the certificate from the quote response

Quote responses include a certificate field with required parameters to establish encryption with the BFI. A sample (truncated) quote response is below:
JSON

Step 2: Verify the certificate

This step is only possible in the production environment. It will fail in the sandbox environment.This step is strictly optional, however it is recommended as a best practice to verify that the certificate is valid.
From the certificate object in the quote response, extract the base64 encoded format of the certificate from the certPem field, decode it, and verify the following:
  • The certificate is not expired
  • The common name of the certificate is for a CPN BFI and matches the domain field in the response
  • The verifiable public key of the certificate matches the jwk field in the response
Java

Step 3: Extract and create the JWK

From the certificate field, extract the JWK parameters: kty, crv, kid, x, y and create the JWK object in your code using a suitable library (for example, Nimbus JOSE+JWT in Java).
Java

Step 4: Prepare the payload

Create the payload for travel rule data and beneficiary account data. Get the required fields from the requirements endpoint and construct them to the correct format. The correct format for travel rule data and beneficiary account data is a JSON array of objects where each object contains two properties: name and value. Whether an object is required to be present is defined by the optional field in the object returned by the requirements endpoint. An example of each is shown below: travelRuleData
JSON
beneficiaryAccountData
JSON

Step 5: Encrypt the payload

Convert the data from the previous step into a JSON string, then use the JWK to encrypt it. Ensure that the following parameters are used:
  • Algorithm: ECDH-ES+A128KW
  • Encryption method: A128GCM
Java

Step 6: Send and verify the encrypted payload

Send the encrypted payload in the API request to create a payment. The preceding example uses version 1 for beneficiaryAccountData and travelRuleData fields. The API returns a 200 response if the data is properly encrypted and can be decrypted by the BFI, otherwise an encryption-related error code is returned.