Hi,
Did anyone have experience generate this using PHP? Need advise on how to generate the CEK.
Best Regards
Solved! Go to Solution
Hey @firdaus_shukor,
Thanks for asking this question and I am happy to help. I've provided the sample JWE using API Key/Shared Secret below. Please let us know if you find this helpful or if there's anything else we can do to help.
Sample JWE using API Key/Shared Secret
JWE Header
"header":{
"alg": "AGCM256KW", // Encryption algorithm to be used for encryption of CEK
"iv": "<SizeofIVistobe96bit.>",// IV to be used for encryption of CEK
"tag": "<128bitvalue>", // HMAC generated from applying AES-256-GCM-KW to the CEK
"kid": "50charAPIKey", // API key
"channelSecurityContext": "SHARED_SECRET",
"enc": "AGCM256",
"iat": "1429837145"
JWE Body:
//base64 encoded form. CEK encrypted using AGCM256KW (alg) algorithm and the CEK IV
“encrypted_key”: “UghIOgu ... MR4gp_A=” ,
// base64 encoded form. IV for the text encryption. Size of IV is to be 96 bit
“iv”: “AxY8DctDa….GlsbGljb3RoZQ=”,
//Base64 encoded form. Encrypted blob generated using the AES-GCM encryption (enc) of the text to encrypt
“ciphertext”: “KDlTthhZTGufMY…….xPSUrfmqCHXaI9wOGY=”,
// base64 encoded form . HMAC generated using the AES-GCM encryption of the text to encrypt. The size of the tag is to be 128 bits.
“tag”: “Mz-VPPyU4…RlcuYv1IwIvzw=”
Note: The JWE Protected Header is input as the AAD (Additional Authenticated Data) parameter of the authenticated encryption (AES-GCM) of the “text to encrypt”.
JWE composition
BASE64URL (UTF8 (JWE Header)) || ‘.’ ||
BASE64URL (JWE Encrypted Key) || ‘.’ ||
BASE64URL (JWE IV) || ‘.’ ||
BASE64URL (JWE Ciphertext) || ‘.’ ||
BASE64URL (JWE Authentication Tag)
JWE/JWS specification requires BASE64URL encoding with NO padding.
General approach for JSON Web Encryption using API key/Shared Secret
(Refer to complete specification for deeper overview of JWE – https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40 )
For more information on how to decrypt data, please visit this link - https://developer.visa.com/capabilities/vts/docs#security_and_authentication_requirements