Steps To Follow:

This new flow follows a better security layer which includes payload as well as headers encryption-decryption.

1. Every API call will comprise of newly encrypted header_secrets and a pass_key in the headers and the encrypted payload with the response body also being encrypted using AES-256 encryption.

2. ISU team will share the Pass key, Client ID, Client Secret, API user name and Encryption Key for encrypting the Header Secrets and request-response Payload separately.

3. Every API call should comprise of two headers i.e. pass_key and header_secrets.

Parameter Description Data_type
header_secrets Encrypted header_secret containing client_id, client_secret and timestamp(Epoch) String
pass_key A separate pass_key for each client. String

4. The header_secrets is the encrypted header data which is a JSON body containing the client_id, client_secret and epoch, encrypted with an AES encryption key shared by ISU team.

5. The header_secrets JSON should contain the following data:

Parameter Key Description Data_type
client_id API user’s client_id, to be provided by ISU team. String
client_secret API user’s client_secret key, to be provided by ISU team. String
epoch A timestamp up to seconds e.g. 1727954878 String

1. Sample JSON header_secrets to be encrypted:

{ "Client_id": "sdfghjk16r1erhjkjh467ertyjkdcfxgxg", "client_secret": "ZG8uGGnu5vDAx6alfv1KQwn1DlZjA3ERn6WAlHkF3DmYoRq1SyG qJ4xxxTUYroAH", "epoch": "1727954878124" }

2. Every request payload should be encrypted using the same encryption Key:

{ "RequestData": "KyiXL/YzPPEE12/dE482Di1mFVhKsmctByNEvKTZHPTDt2v+p8aIj9qc8HPwvqpWOyCo/ K0OqitfNqU1t8KuMZJqdZrd1jmQuYfZAbi+143MyvHXqKbXyQJ1S2DTWsN2UkHt08IKuzdRNGvdu65IC mtkggYxS03JIK0ihDDt6tzPaWleSwviP LL7UsHMTJ3CG+a0BzHlRqaCW0ilT3y7minwAfDsBJEB5kfahflahfa" }

Below response client will get:

{ "ResponseData": "R4dcjsGEYXOWPRP9t8x8s8mJ6hNQT4FWii2WCfR4pKxeXzioW8WDokqs3a3VDWr/ mELpJRWpXw3+Z0fp/0En/BNgvjjENmmCcC8qm1gYi8wIv2VuvRBy 3012VOvK3J2ZlKDfQd2+ApsQI7ESDe/eoA==" }

The above response payload needs to be decrypted using the same shared Encryption Key for Request-Response Payload.

Notes:

  • Epoch is validated and must not be older than 5 mins.
  • Header secrets must be encrypted using AES256 each time the API is consumed.
  • Same key used for both payload and header secrets encryption.
  • Responses are encrypted only if successful.
  • Keys are client-specific.

Client Specific Keys:

Clients Header Encryption, AES Keys Payload Encryption and Decryption AES Keys
Client A
  1. pass_key
  2. Header_secrets Key a
 Key a
Client B
  1. pass_key
  2. Header_secrets Key b
 Key b
Client C
  1. pass_key
  2. Header_secrets Key c
 Key c
Client D
  1. pass_key
  2. Header_secrets Key d
 Key d