Encrypted PIN Transfer

📘

Applicable only for the request that accepts the Signing-Method header.

Encrypted PIN Transfer

This feature allows you to transfer your end-users signing methods (PIN, Emergency Code, Biometrics) in a secure and encrypted way so that it is not visible on your system in any way. Your system won't be able to view or read the end-user signing method's value.

This feature also ensures that the original end-user request body is not tampered with and helps avoid duplicate transactions.

Flowchart

Encrypted PIN Transfer Flowchart
Encrypted PIN Transfer Flowchart

📘

View the TypeScript code example for Encrypted PIN Transfer.

1. Generate random AES 256-bit key

First, generate a random AES 256-bit key.

2. Generate a random iv vector (12 bytes)

Next, generate a random iv vector which should be 12 bytes.

3. Encrypt the AES 256-bit key

Next, encrypt the randomly generated AES 256-bit key with the AWS RSA-2048 public key that we expose in our publicly available endpoint:

Endpoint:

HTTP

Response Body:

JSON

4. Prepare the Request Body

Generate a SHA256 hash based on the request body.

Example Request Body:

JSON

Example SHA256 Hash:

SHA256 Hash

5. Encrypt Signing-Method body with the Raw AES key

Next, encrypt the Signing-Method body with your raw AES key. The structure of the Signing-Method body is as follows:

Param
Description
Required?

id

The unique ID of the signing method.

value

The value of the signing method.

physicalDeviceId

The physicalDeviceId which is the unique ID of the user's device. (Applicable for BIOMETRIC only)

idempotencyKey

A unique UUID for every request.

signature.type

This will be sha256

signature.value

SHA256 encoded hash of the JSON request body. - from Step#4

JSON

Example Signing-Method body with PIN:

JSON

Example Signing-Method body with Emergency Code:

JSON

Example Signing-Method body with Biometric:

JSON

6. Prepare Encrypted-Signing-Method Header

6.1 Preparing JSON Body for Encrypted-Signing-Method

Next, prepare the following JSON body.

Param
Description

encryption.type

This will be AES/GCM/NoPadding.

encryption.key.encryptedValue

The AES key that is encrypted with RSA-2048 public key (GET /api/security) - from Step#3

encryption.key.encryptionKeyId

The value corresponds to the result.encryptionKeys.id param in the response body of the GET /api/security endpoint - from Step#3

encryption.iv

Your randomly generated iv vector (12 bytes). - from Step#2

value

The body of the Signing-Method that is encrypted with the raw AES key. - from Step#5

JSON

6.2 BASE64 Encode the Body

Next, you have to base64 encode the JSON body which is to be passed in the Encrypted-Signing-Method header.

7. Send the correct header

There are two ways to supply the signing method in the header:

7.1 For Encrypted Transfer (Encrypted-Signing-Method)

You need to send the JSON base64 encoded body in the Encrypted-Signing-Method header from the previous step. The Encrypted-Signing-Method indicates that the signing method and the request body are encrypted.

7.2 For non-encrypted Transfer (Signing-Method)

The Signing-Method header can be passed as usual for non-encrypted transfers.

Parameter
Param Type
Value
Description
Example Value

Signing-Method

Header

id:value

id: This is the ID of the signing method value: This is the value of the signing method

756ae7a7-3713-43ee-9936-0dff50306488:123456

Encrypted Request Example:

Executing a Transaction

Example Request

Updating a PIN Signing Method

Example Request

Creating an additional Signing Method

Example Request

PreviousIntegrate with WalletConnectNextOverview

Last updated