Re: What should I deal with FLE(field-level encryption )

ashOne
Regular Visitor

What should I deal with FLE(field-level encryption )

I met a problem when I attended to impment viap api. I found  these api uses fle to encrypt , but I can not FIND ANY DOCUMENT ABOUT FLE . are there any one can find it ?

5 REPLIES 5
API_Products
Visa Developer Support Specialist

Re: What should I deal with FLE(field-level encryption )

Hey @ashOne,

 

Field-Level Encryption (FLE) in the context of Visa Developer Platform is crucial for securing sensitive data. If you're encountering issues with FLE and can't find documentation, here are some steps you can take:

 

Steps to Deal with Field-Level Encryption (FLE)

1. Check Visa Developer Documentation:
- Visit the Visa Developer Documentation at https://developer.visa.com/ and search for Field-Level Encryption.
- Look for specific API documentation which might detail the encryption process.

2. Review API Specifications:
- Each API that uses FLE should have specifications on how to handle encryption. Check the API reference for any encryption fields or parameters.

3. Contact Visa Developer Support:
- If documentation is insufficient or unavailable, contact Visa Developer Support directly. They can provide detailed guidance and support for implementing FLE.

4. Use Visa Developer Community:
- Engage with the Visa Developer Community. Other developers may have faced similar issues and can provide insights or solutions.
- Check forums and discussion boards for any threads related to FLE.

5. Follow General Encryption Practices:
- Understand the general principles of field-level encryption. This includes generating encryption keys, encrypting data before sending it, and decrypting data upon receipt.
- Implement industry-standard encryption libraries and practices in your code.

 

Example of Field-Level Encryption in Python

Here's an example of how you might handle basic encryption in Python, though specifics will depend on Visa's requirements:

```python
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
import os

# START 
# Generate a key from a password
password = b"your_password"
salt = os.urandom(16)
kdf = PBKDF2HMAC(
algorithm=hashes.SHA256(),
length=32,
salt=salt,
iterations=100000,
)
key = kdf.derive(password)

# Encrypt some data
data = b"your_sensitive_data"
iv = os.urandom(16)
cipher = Cipher(algorithms.AES(key), modes.CFB(iv))
encryptor = cipher.encryptor()
ct = encryptor.update(data) + encryptor.finalize()

# Decrypt the data
cipher = Cipher(algorithms.AES(key), modes.CFB(iv))
decryptor = cipher.decryptor()
decrypted_data = decryptor.update(ct) + decryptor.finalize()

print(f"Original Data: {data}")
print(f"Encrypted Data: {ct}")
print(f"Decrypted Data: {decrypted_data}")
# END 
```

 

Summary

- Documentation: Refer to Visa Developer documentation for FLE.
- Support: Reach out to Visa Developer Support for help.
- Community: Engage with the Visa Developer Community for insights.
- Encryption Practices: Follow general encryption practices using industry-standard libraries. 




Thanks,

Diana



Was your question answered? Don't forget to click on "Accept as Solution" to help other devs find the answer to the same question.

ashOne
Regular Visitor

Re: What should I deal with FLE(field-level encryption )

I got it , but I still have a problem , I found the sample code of viap (visa in app-provision), viap uses the fle to encrypt the special field  that prefix with 'enc',and the code of fle implement needs  the encryptionKid. so what does the encryptionKid actually mean ?

API_Products
Visa Developer Support Specialist

Re: What should I deal with FLE(field-level encryption )

Hey @ashOne,

 

The `encryptionKid` stands for "Encryption Key Identifier." It is a unique identifier used to reference a specific encryption key within a key management system. In the context of the Visa In-App Provisioning (VIAP) and Financial Level Encryption (FLE), the `encryptionKid` is used to identify the encryption key that will be used to encrypt sensitive fields that are prefixed with 'enc'.

 

Here's a more detailed explanation:

1. Key Management System (KMS): The KMS stores and manages encryption keys securely. Each key has a unique identifier, known as the Key Identifier (KID).

2. encryptionKid: This is the unique identifier for the specific key you want to use for encrypting data. When you pass `encryptionKid` in your API request, the Visa platform knows which encryption key to use for encrypting the specified fields.

3. Encryption Process: When you encrypt a field (e.g., a card number or personal information), the system uses the encryption key referenced by the `encryptionKid` to perform the encryption. This ensures that the data is securely encrypted before being transmitted or stored.

 

Example Usage

In your code, you might see `encryptionKid` being used like this:

```json
{
"encCardNumber": "encrypted_card_number_here",
"encryptionKid": "your_encryption_kid"
}
```

 

When you implement the encryption, the `encryptionKid` tells the system which key to use:

```python
# START 
import base64
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad

def encrypt_data(data, key):
cipher = AES.new(key, AES.MODE_ECB)
encrypted_data = cipher.encrypt(pad(data.encode('utf-8'), AES.block_size))
return base64.b64encode(encrypted_data).decode('utf-8')

# Placeholder values for demonstration
data_to_encrypt = "SensitiveData"
encryption_key = b'YourEncryptionKey' # This should be a 16, 24, or 32 byte key
encryption_kid = "your_encryption_kid"

encrypted_data = encrypt_data(data_to_encrypt, encryption_key)

print("Encrypted Data:", encrypted_data)
print("Encryption KID:", encryption_kid)
# END 
```

 

Steps to Follow:

1. Key Generation: Generate an encryption key using your key management system. This key will have a unique `encryptionKid`.

2. Store the Key: Store the encryption key securely, and note down its `encryptionKid`.

3. Use the Key in Your Code: When encrypting data, use the `encryptionKid` to reference the key. Ensure that the actual key data is securely managed and not hard-coded in your application.

4. Encrypt Data: Use the referenced key to encrypt sensitive fields, ensuring that the data is secure before transmission.

 

By understanding and correctly using the `encryptionKid`, you can ensure that sensitive data is encrypted with the appropriate key, maintaining the security and integrity of your transactions.

 




Thanks,

Diana



Was your question answered? Don't forget to click on "Accept as Solution" to help other devs find the answer to the same question.

ashOne
Regular Visitor

Re: What should I deal with FLE(field-level encryption )

I still hava  questions,as above said,the keyId is the identity of  encrypt key generated by my kms.so the visa how to know which key  I used when pass it to visa. AND How can I pass it to visa throught  api

API_Products
Visa Developer Support Specialist

Re: What should I deal with FLE(field-level encryption )

Hey @ashOne,

 

To address the follow-up question, here's how you deal with Field-Level Encryption (FLE) and the `encryptionKid` when passing data through the Visa API:

 

How Visa Knows Which Key You Used

When you pass the `encryptionKid` to Visa, you are essentially telling them which encryption key to use for decrypting the data. Visa's system will have a corresponding mapping of this `encryptionKid` to the actual encryption key within their Key Management System (KMS). This mapping allows Visa to correctly decrypt the data encrypted with the specified key.

 

Passing the `encryptionKid` to Visa Through the API

 

Here are the steps to pass the `encryptionKid` and the encrypted data to Visa through their API:

1. Generate the Encryption Key: Use your Key Management System (KMS) to generate the encryption key. Get the unique `encryptionKid` for this key.

2. Encrypt the Data: Encrypt your data using the encryption key. Ensure the encryption process follows the required encryption standards (e.g., AES).

3. Prepare the API Request: Include the encrypted data and the `encryptionKid` in your API request body.

 

Example API Request

Here's an example of how you might structure your API request to Visa:

 

```json
{
"encCardNumber": "encrypted_card_number_here",
"encryptionKid": "your_encryption_kid",
"otherField": "other_value"
}
```

 

Example Code Snippet

Below is an example Python code snippet demonstrating how to encrypt data and prepare the API request:

 

```python
# START 
import base64
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
import requests

def encrypt_data(data, key):
cipher = AES.new(key, AES.MODE_ECB)
encrypted_data = cipher.encrypt(pad(data.encode('utf-8'), AES.block_size))
return base64.b64encode(encrypted_data).decode('utf-8')

# Placeholder values for demonstration
data_to_encrypt = "SensitiveData"
encryption_key = b'YourEncryptionKey' # This should be a 16, 24, or 32 byte key
encryption_kid = "your_encryption_kid"

# Encrypt the data
encrypted_data = encrypt_data(data_to_encrypt, encryption_key)

# Prepare the API request payload
payload = {
"encCardNumber": encrypted_data,
"encryptionKid": encryption_kid,
"otherField": "other_value"
}

# Example endpoint URL (replace with actual Visa API endpoint)
api_url = "https://visa.api.endpoint.com/path"

# Send the request to Visa API
response = requests.post(api_url, json=payload, headers={"Content-Type": "application/json"})

# Check response
if response.status_code == 200:
print("Request successful:", response.json())
else:
print("Request failed:", response.status_code, response.text)
# END 
```

 

Steps to Follow:

1. Generate the Key: Use your KMS to generate the key and get the `encryptionKid`.
2. Encrypt the Data: Encrypt the sensitive fields using the generated key.
3. Prepare the Payload: Include the encrypted data and `encryptionKid` in your request payload.
4. Send the API Request: Make the API request to Visa, ensuring you include the payload with the encrypted data and `encryptionKid`.

 

By following these steps and correctly passing the `encryptionKid` and encrypted data to Visa, their system will be able to correctly identify and use the appropriate encryption key for decryption.




Thanks,

Diana



Was your question answered? Don't forget to click on "Accept as Solution" to help other devs find the answer to the same question.