CBC mode and
PKCS5 padding to encrypt sensitive data.
All sensitive data is prepended with a random
initialization vector(IV) to avoid dictionary attacks.
Decryption mechanism needs to be implemented on the client side in order to read sensitive data.
Branch provides the AES key in
BASE64 format. Clients need to be sure that they have the key provided by Branch before implementing the solution on their end.
Implementation can be summed up in two steps.
This service accepts the
BASE64 encrypted sensitive data and the
BASE64 key. The service eventually calls the AES Utility function after getting the byte values.
This utility function is used to decrypt the value provided by the service function.