The application layer of the APIs uses JWE to protect sensitive fields and JWS for authentication, providing additional security layers on top of TLS mechanisms.
The application layer of the APIs uses JWE to protect sensitive fields and JWS for authentication. This constitutes additional security layers on top of the TLS mechanisms.
PAT uses JWE Compact Serialization representing encrypted content as a compact, URL-safe string with specific parts for protected header, encrypted key, initialization vector, ciphertext, and authentication tag.
The application layer of the APIs uses JWE to protect sensitive fields. This constitutes an additional security layer on top of the TLS mechanisms.
PAT uses JWE Compact Serialization representing encrypted content as a compact, URL-safe string. Each representation consists of the following parts:
Start a Project
API Overview
API Reference
BASE64URL(UTF8(JWE Protected Header)) || '.' ||
BASE64URL(JWE Encrypted Key) || '.' ||
BASE64URL(JWE Initialization Vector) || '.' ||
BASE64URL(JWE Ciphertext) || '.' ||
BASE64URL(JWE Authentication Tag)
In order to use JWE, the Financial Institution/Token Requestor must generate a Certificate and share it with the PAT solution.
For more details about the JWE standard, please refer to the Internet Engineering Task Force RFC7516 document (ISSN: 2070-1721).
https://www.rfc-editor.org/rfc/rfc7516
The Financial Institution or Token Requestor generates a JWE keyset and exports the public key certificate to PAT for message encryption.
The Financial Institution or Token Requestor generates a JWE keyset and exports the public key certificate to PAT where the public key is imported and linked to the Financial Institution/Token Requestor name and a keyIndex. This Financial Institution/Token Requestor name is assigned to the Financial Institution/Token Requestor as part of the onboarding process in PAT.
JSON messages to the Financial Institution/Token Requestor are encrypted by PAT and the JWE Header includes the Financial Institution/Token Requestor name (additionalInfo) and the keyIndex of the used public key. The Financial Institution/Token Requestor decrypts the JSON notification message with their associated private key.
The following JWE algorithms (JWE Header "alg" parameter) are supported by PAT:
The algorithms a Financial Institution/Token Requestor is allowed to use are configured by the operator. The following JWE encryption method (JWE Header "enc" parameter) is supported by the PAT:
The JSON messages received from PAT always use the A128CBC-HS256 encryption method.
Only sensitive JSON objects are encrypted in the message as specified by this API specification and JWE Compact Serialization must be used. When only JWE encryption is used, the Content-Type in the HTTP header must be application/json.
At the application layer, optionally JSON Web Signature (JWS) can be used to authenticate data, providing additional security on top of JWE and transport layer security mechanisms.
Also, at the application layer, optionally JSON Web Signature ("JWS") can be used to authenticate data. This constitutes an additional security layer on top of JWE (if message has encrypted payload) and the transport layer security mechanisms which prove the sent data has not changed since being signed.
PAT supports JWS Compact Serialization, represents digitally signed or MACed content using JSON data structures and base64url encoding. Each representation consists of the following parts:
BASE64URL(UTF8(JWS Protected Header)) || '.' ||
BASE64URL(JWS Payload) || '.' ||
BASE64URL(JWS Signature)
For more details about the JWS standard, please refer to the Internet Engineering Task Force RFC7515 document (ISSN: 2070-1721).
https://www.rfc-editor.org/rfc/rfc7515
PAT shares their public key with Financial Institutions and Token Requestors and signs JSON messages with their private key using RS256 algorithm.
PAT shares their public key with the Financial Institution and Token Requestor with the associated additonalInfo and keyIndex. PAT signs their JSON messages to Financial Institution and Token Requestor with their private key and includes in the mandatory JWS Header a 'kid' (Key ID) parameter field with the additionalInfo and keyIndex. Financial Institution/Token Requestor validates the signature with the public key received from PAT.
The 'kid' parameter is formatted as "<additionalInfo>/<keyIndex>" where additionalInfo and keyIndex are required. E.g. {"kid":"CL01/01","alg":"RS256"}
The JSON messages signed by PAT and sent to Financial Institution/Token Requestor are using the RS256 algorithm.
For more details about the JWS and JWE cryptographic algorithms and identifiers, please refer to the Internet Engineering Task Force RFC7518 document (ISSN: 2070-1721).
https://www.rfc-editor.org/rfc/rfc7518