Certain processes of Rabo Identity Services APIs contain highly sensitive PII data. To protect this data, Rabobank uses message level encryption.
Follow the below steps to use message level encryption using PKI:
Step 1 – Applying the X-Encryption-Key header
A mandatory X-Encryption-Key header is required in the request for the endpoints, where message level encryption is applied. This header should be formatted as a JSON Web Key (JWK) with specific key attributes defined.
Rabobank facilitates you to set the public part of the key using the X-Encryption-Key header. You are responsible for generating and managing the key(s).
Consumers of the API are responsible for generating the key(s) and storing the private part of the key securely
In this header we support both RSA and EC algorithms, defined using the kty attribute.
The minimum required key configuration is as below:
Applying RSA keys
Field | Value | Notes |
| RSA | Required |
| RSA-OAEP, RSA-OAEP-256 | Required |
| enc | required |
| case-sensitive string identifying the key | Recommended |
Applying EC keys
Field | Value | Notes |
| EC | Required |
| ECDH-ES | Required |
| P-256, P-384, P-521 | Required |
| enc | Required |
| case-sensitive string identifying the key | Recommended |
Valid RSA X-Encryption-Key header value
{
"kty": "RSA",
"e": "AQAB",
"use": "enc",
"kid": "gYtIlsCr3gGSdmY1Uj0q01ud0bDzSutAPHO9wHens4s",
"alg": "RSA-OAEP-256",
"n": "ufzviUV7l_DfVjHOegUCCAfC2jEPcHqmlbaO9ksHBGeYmpqQfp37pprcfUytVtQkvLoPOyX_0XwqrirQ4BI5ApfbxqQVuamOMd_qFzPlHqusnrbZeFIMDm0wnNM00Wezh3BQ4Jz958cqaS30mpXWec-UXfmkVOifbzjc2vcYxYY0_6-9-QTjDbpy_R7yx_FvECQO07qh7axTOwRdgNoN5mXVLs1in1Rx_QBfhcaxkTnN3R5nGaFqhiDHX2OWIfaiscv8QHqi0wpLI7du74nAmENwpFjLVHrC5D8KrD0QUN0IW8pr-wiJ8-sGmehBGDDUs6iPUNyy46Edmh8beavWKQ"
}
Step 2 – Decrypt the response
After the X-Encryption-Key header is set, Rabobank applies message level encryption on the response of the endpoint based on the provided value.
You can decrypt the JWE token response with the private key associated to the public key, as set in the X-Encryption-Key header.
- Rabobank validates the provided X-Encryption-Key header.
- If the validation is found correct, we apply the message level encryption on the content in the response body.
The response body consists of Content-Type:application/jose, where the content is the JSON Web Encryption (JWE) token.
Response example with message level encryption
HTTP/1.1 200 OK
Content-Type: application/jose
eyJraWQiOiJ1R0VIUWdBeUFfdFNBQWhhcUNRSTVJVHBrcWdhU2xCQXVhTklWQzJGRUU0IiwiZW5jIjoiQTI1NkdDTSIsImFsZyI6IlJTQS1PQUVQLTI1NiJ9.2l_oIXvIuNoDVTi42YKS9lnefBMmigQFuukZYZ13Z3osyUaU0dLhycn-c0mY8S4_oGNK8ov-eibVyNPE5WMbfZrvFRXQ2VyLeodoDDRm2IdkapyCQB7TDc2G0PHXCWofkbOvpKbUp43GyOz3MJ3bOzUdRfMg3sLwrbXT6CGs-RW1OfVtdEO4BsZywDOKvJ43T7VVQpcDjdyKVuJsEpe7E1kieD2X4P_sHF84T_uP5Wwrh5qVYMirnD4fhS4dYvP6ychwuQ4WlEE6s-YfCO4Gdv5ZCJ8n3OhL83vi8V4u4haTivE_psNOPKGcC-q_05TiNy-92jqha7qq-eMNSkoYJw.XODDXTTol1YqA3mO.tgP2l8HhdRDrLOaM6kxublpVn7n2RyVn3MkFXVfWDpCc9ZuL-WR3YpRGanYIn62qpmMCcC6ekqbSpK8MCLhO5tQ5xSWa2GeVbkWGjt3RhQCZfBqfS19_sX_nFcMgSuqOz5cUtiCdb2POsPNReY-Q2V24gBj1TKifoMby3JPxcsg5WfN3wIbq8QExa-dPB2RFQDVRVj-GOZR9TVIKd4D9gB_Ys8kcsvFlBEWmDLXPsxqiqf274f8i4dzQb_sSuDQ4gsLpQz5W82u_mxL2e372L9-wK-qh4sV8mwaeFc-GmoctOxr0OaSJRy0OfB04ODJDF201MmA-cB-RFy3j8yJRAOx2hcK0Z5tF35l9HJ8fhzGoHQsPOQpgyB5RO1L-GW3JlgeyIBjz-siLmzAhcFdkmzt7sA6pb0lGrlb_yQ2gIsvIajQiELLeKmn-9aEVlBdz3yyCbLHmrlxWv2RJuNP_GiMJwNw0_i6yzJb5NyAeB57y613k8hKxSVeK1TeQKrS8CiVUgikY9D93kUarIuSvzh9pAU2TBAoBlbG_LtbnKiRA94SdSYPR6B2EEes2TI-qsuEU3MRR1o4UyMQ1jVWw9KWYaWIn2cgGO0KC_xawzsPxQYhhP_LqgVXYaH935maOMTRWAizsSC1q6U7vpl693HdqB9agL-kWiNiAb8p0WBxswDodr7JkfKJZ2YRKmvg2lO-NEL1qvYyhUK7sqrReptaglp-fsY-WrPCK3PlHZCxPPXd1aRLfNBq68-p9TxvclavWV7bNZBfp50_9QlhO2hzKTlFWZgd8eKuSooHHf7dOY86LSyD3XLNPxpEbOkoSp8d2L1hY8w8.h1M06f8i3sqzwfDnUGmRvA