Links

Security

CODE performs HTTPS communication in the section between a VASP that sends a request and a VASP that responds to it for basic secure communication. However, important information such as transaction information and personal information is bundled with payload objects to be encrypted so that only VASPs can see it. (End-to-end encryption is applied by default even when interoperating with other solution.)
Basically, the payload object in a message is encrypted, but the payload is not encrypted for a virtual asset address search API which does not specify a beneficiary VASP that has to broadcast internally.
The key pair that is created by executing the separately sent sample code (generate_key.py) has the roles of Signing Key and Verify Key, which create and verify the Signature.
However, if you look at the sample code by each language, it automatically converts the key inside the encryption object, which receives and generates the public key (Verify Key) and its own private key (Signing Key) of the other party who sends/receives a message, to be implemented to support both signing and encryption/decoding.
Therefore, the Signing Key is called a Private Key, and the Verify Key is called a Public Key in the CODE manual.

Example for encryption

It is assumed that the following original message is encrypted.
{
"currency": "XRP",
"payload": {
"ivms101": {
"Beneficiary": {
"accountNumber": ["rHcFoo6a9qT5NHiVn1THQRhsEGcxtYCV4d:memo or tag"]
}
}
}
}
The target of encryption is the payload object, {"ivms101": ...} part is encrypted.
  1. 1.
    VASP A on the sending side encrypts (ECDH, Xsalsa20) using the public key of VASP B on the receiving side and it's (VASP A) private key.
  2. 2.
    The payload value is overwritten by encoding the encrypted result with base64.
  3. 3.
    The payload type is changed from object to String.
After encryption, a message will be formatted in the following way:
If the type of the payload field is String, this is a result of base64-encoded encryption, and if the type is an object, this can be considered as the original text. Although the same method is used even when VASP B performs decoding, this is generated by entering the public key of VASP A and the private key of VASP B.
{
"currency": "xrp”,
“pyload": "base64 encoded string"
}

Example for signature creation

The CODE server uses the signed value of the data combined as per the specific rules in the header to check to check whether the VASP, which sent the message is correct or not.
Signature creates data that makes calling URL (empty string for response), Body string, X-Code-Req-Datetime, and X-Code-Req-Nonce data into one byte array by signing the data with Private Key (Signing Key) of the transmitting VASP A.
This signature is verified by the CODE server.