search

ONDC-Official / ONDC-Protocol-Specs

Open Network for Digital Commerce (ONDC) Open API Specifications. ONDC is an ambitious initiative to democratize digital commerce by creating a decentralized network of buyer apps and seller apps through an interoperable protocol specification.
Other
136 stars 59 forks source link

ONDC data encryption policy #24

Open BLR-0118 opened 2 years ago

BLR-0118 commented 2 years ago

Define ONDC data encryption policy:

  1. Key exchange - X25519
  2. Encryption
  3. Data elements to be encrypted
vu3mmg commented 2 years ago

Could we use a mixture of AES ad RSA .

  1. Before making a call to server. , client generates a random AES key .
  2. Then encrypts the elements .
  3. Then encrypts the AES key with servers publickey
  4. Send the encrypted data and encrypted key to server .
  5. Server retrieves the AES key from encrypted key using its private key .
  6. Server decrypts the content using retrieved AES key .
  7. Then creates response message ,
  8. Encrypts response message using the AES key
  9. and send to client
  10. Client knows the AES @key
  11. And retrieves the message .

For the next API call , Client generates a new key continue . @coreadmin

BLR-0118 commented 2 years ago

We need to use X25519 for key exchange as per the protocol. Also, for encryption, we're looking at AES-256, Curve25519, ChaCha20 as the only encryption algorithms. Any thoughts?

vu3mmg commented 2 years ago

I think X25519 is the Diffie Hellman key exchange . My suggestion is to look from an implementer point of view . I think the requirement is integrity and confidentiality of data , not a specific key exchange protocol . Also how robust & friendly the mechanism will be to implement in browser and in app .

Hence I was suggesting a standard mechanism which could be implemented .

with thanks and regards Mahesh

On Mon, May 2, 2022 at 12:06 PM Supriyo Ghosh @.***> wrote:

We need to use X25519 for key exchange as per the protocol. Also, for encryption, we're looking at AES-256, Curve25519, ChaCha20 as the only encryption algorithms. Any thoughts?

— Reply to this email directly, view it on GitHub https://github.com/Open-network-for-digital-commerce/ONDC-Protocol-Specs/issues/24#issuecomment-1114542903, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACHGYNZ7PPUVZM4NNY2F4Y3VH5ZYXANCNFSM5SYB6G6Q . You are receiving this because you commented.Message ID: <Open-network-for-digital-commerce/ONDC-Protocol-Specs/issues/24/1114542903 @github.com>

BLR-0118 commented 2 years ago

Thanks for your suggestions!

vu3mmg commented 2 years ago

One more query . Is the ONDC protocols same as beckn . Or different .

BLR-0118 commented 2 years ago

ONDC protocol is an adaptation of the Beckn protocol

mahoriR commented 2 years ago

Could we use a mixture of AES ad RSA .

1. Before making a call to server. , client generates a random AES key .

2. Then encrypts the elements .

3. Then encrypts the AES key with servers publickey

4. Send the encrypted data and encrypted key to server .

5. Server retrieves the  AES key from encrypted key using its private key .

6. Server decrypts the content using retrieved AES key .

7. Then creates response message ,

8. Encrypts response message using the AES key

9. and send to client

10. Client knows the AES key

11. And retrieves the message .

For the next API call , Client generates a new key continue .

Agreed. This suggestion is pretty standard and any banks use this for encrypting the payloads. Will be easy for folks to implement.