API Integration with AES Encryption/Decryption

1. Implementation Plan

API requests support the AES+sha256 encrypted signature authentication scheme. AES is used to encrypt request parameters and response data, while sha256 digest signatures applied to both request parameters and response data.

1.1 AES Encryption Parameter

Key: A string of length 16/24/32 (digits/letters), corresponding to 128/196/256-bit encryption respectively. Test key:airudderredduria. To obtain production keys, please contact us in advance.
Encryption ECB
Padding zeropadding (\0)

The examples are in Python; the actual implementation language is flexible.

def aes_encrypt(text, aeskey):
    """aes encryption"""
    
    if isinstance(text, str):
        text = text.encode("utf8")
    enc_secret = AES.new(aeskey.encode("utf-8"), AES.MODE_ECB)
    # ECB Padding: ECB requires the plaintext length to be multiple of the block size, so the text must be padded accordingly. This document specifies zero-padding(\0) for alignment. 
    tag_string = text + (AES.block_size - len(text) % AES.block_size) * b"\0"  
    cipher_text = base64.b64encode(enc_secret.encrypt(tag_string))
    return cipher_text


def aes_decrypt(text, aeskey):
    """aes decryption"""

    if isinstance(text, str):
        text = text.encode("utf8")
    dec_secret = AES.new(aeskey.encode("utf-8"), AES.MODE_ECB)
    raw_decrypted = dec_secret.decrypt(base64.b64decode(text))
    clear_val = raw_decrypted.rstrip(b"\0")
    return clear_val

1.2 sha256 Signature Method

Encode the raw data in utf-8 and take the lowercase hexadecimal value of its sha256 digest.

The examples are in Python; the actual implementation language is flexible.

def sha256_sign(text):
    """sha256 signature"""
    
    if isinstance(text, str):
        text = text.encode("utf8")
    return hashlib.sha256(text).hexdigest()

2. Encrypting Request Data and Decrypting Response Data

2.1 The connecting party should process the request as follows before sending

.Add Is-Encrypted 1 in the request HEADER to mark whether it is encrypted
.Add Signed xxx in the request HEADER to mark the sha256 signature value

{
    "Is-Encrypted": "1",
    "Signed": "6956d7af4c89b89f19f9ae0a8be4bcf12abe7c6ed893691733f3480ad3f3aabc"
}

*.The raw encrypted request data is divided into GET requests and POST requests.
The raw encrypted data for GET requests is the URL-encoded value of all parameters (i.e., query_string)
The raw encrypted data for POST requests is the JSON-dumped value of the parameters (i.e., body)
*.Encrypt the raw data to generate encrypted data, and replace the original with the encrypted version. Then calculate the sha256 signature of the original data, place it in the request header, and send the request.

2.2 If the request is encrypted, the corresponding response will also be encrypted. The connecting party should decrypt the response as follows

.Add Is-Encrypted 1 in the response HEADER to mark whether it is encrypted
.Add Signed xxx in the response HEADER to mark the sha256 signature value

*.The response data is the encrypted data (i.e., content)
*.Decrypt the encrypted response to obtain the raw data, and then generate a sha256 signature of this decrypted data and compare it with the Signed value in the response HEADER. Only proceed with further processing if the signatures match.

API Integration with AES Encryption/Decryption

1. Implementation Plan#

1.1 AES Encryption Parameter#

1.2 sha256 Signature Method#

2. Encrypting Request Data and Decrypting Response Data#