Authentication

Data encryption

In order to ensure the security of data during transmission and prevent data leakage, sensitive data e.g. card account, card holder's name etc need to be encrypted

  • AES encryption algorithm
  • Merchants need to generate their own merchant secret key and keep it in a secure way
  • AES encryption method: AesUtil.AESEncode(metadata, secret key)
  • In case there is Chinese parameters, please encode with URLEncoder: URLEncoder.encode(param)

Signature

Mutual authentication is implemented. For requests, the caller need to compute a digital signature and add the signature as part of HTTP body. Conversely, for responses, ACH provides its signature in the HTTP body in the response. The request signature is generated as follows:

StepDescriptionExample
1Sort all parameters in ascending order according to parameter namesParameter list: abc=value1 bcd=value2 bad=value3
Sort result: abc=value1 bad=value3 bcd=value2
2Connect all parameters with '&'abc=value1&bad=value3&bcd=value2
3The client uses RSA private key to sign, and the server uses RSA public key to verify the signatureRsaUtil.sign(signature string, private key)
4After receiving the request, the server decrypts the data first and then goes through the signature verification procedure on the decrypted data with RSA public key. If both decryption and signature verification are successful, the request is considered legitimate.