---
page_source: https://docs.test.juspay.io/resources-barclays/docs/card-network-tokenization/card-details-encryption
page_title: Card Details Encryption
---
# Card Details Encryption for ALT ID & Tokenization
The card details(card number, expiry month, expiry year, cvv) can be encrypted before passing to Juspay using the asymmetric cryptographic algorithm.
* The public key will be shared by Juspay which can be used for encryption.
* Encrypt the card details using the shared public key. The sample code snippet is given below.
> **Note**
>
> ### **Encryption method and algorithm**
>
>
>
> **Algorithm** : RSA-OAEP-256**ENC** : A128GCM
Required inputs to be encrypted are given below:
| Field Name | Required | Type |
|---|---|---|
| cardNumber | Yes | String |
| expYear | Yes | String |
| expMonth | Yes | String |
| cardSecurityCode | Conditional | String |
## Dependencies to run the code
#### xml Code Snippet:
```xml
4.0.0
com.example
demo
1.0-SNAPSHOT
1.8
1.8
com.nimbusds
nimbus-jose-jwt
9.31
org.bouncycastle
bcpkix-jdk15on
1.59
com.fasterxml.jackson.core
jackson-databind
2.15.2
com.fasterxml.jackson.core
jackson-core
2.15.2
```
### You may use the below public key and keyId for testing in **sandbox/production environment respectively** :
`Sandbox: 2218168c-ee6b-49d7-a851-8b94e7d0068d`
`Production keyId:4418168c-aa6b-49d7-a987-1b94e7d2268d`
#### Sandbox Code Snippet:
```sandbox
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhTe0SKYUQDLslwkuW1HD
QLyGO+PQ1CiBkyMsoMHQ7vXWdpY8txy0Ta0EZvNnYRdwPxMf7Gu6Z8nZDoGdgv0k
avbZ8hHz+sEo1UkUspdad5jih7Nw3X7dyocdhYYu9q8zdzrf4MWIjkDji0tTWCQy
JeUCOhscrWRueAOxszkPsN3Akpucy8kFz4F91FIEpCBHHMtMpfeSclVU+H8exoB/
GfkhMFZ8d7/y8NweBcTh+EnN/hZpq63L/FLc0xUmqFYI9S1BuMpB4HXrpGK/2D5s
WgA5A5eOpX0wbKJ3olwWEwBLZs/7EEZaVEpgYSiZNOo9IWlx5ZpHdvXkkKYe9JoO
iwIDAQAB
-----END PUBLIC KEY-----
```
#### Production Code Snippet:
```production
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0dzJR6QCvNTS4CtmcDgW
eDaJAcJo+HD2MpZaO63kWFh2RE1It9dfTgF5PfL3L/cACHOgCtsSklC3I06wTNp/
2yM0v9WzSaga8VjeX3Q8XegCPBMaYxizWNIe8ZVKSzeAz/xQ43ktvPQFDV8chdpo
v0RxYa6Sa6rP9NeZdAQ/wezMJ3A5c6hWSroXsGrobEjrsZwaJ2P8ew/hgyfZroZP
Ck+S2UzDQkvagW2ZbcljkqG8gsEzzgoo/qNKtyPC5pTZRMRf0rwlch9DO04QnYV8
bLuk6UI0Rre5rB7jrAAf5+d6Z7F1ow0xIdJtCzuwklTUL5b+VPOUZqfDxPI1/LIu
hQIDAQAB
-----END PUBLIC KEY-----
```
## Sample Code Snippet for Encryption
#### Java Code Snippet:
```java
package com;
import java.io.FileReader;
import java.io.IOException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemReader;
import com.nimbusds.jose.*;
import com.nimbusds.jose.crypto.RSADecrypter;
import com.nimbusds.jose.crypto.RSAEncrypter;
import com.fasterxml.jackson.annotation.JsonInclude.Include;
import com.fasterxml.jackson.databind.ObjectMapper;
public class App {
public static void main(String[] args) throws Exception {
String keyId = "";
String payload="{\"cardNumber\":\"\",\"expMonth\":\"\",\"expYear\":\"<4digits_year>>\",\"cardSecurityCode\":\"<3digit/4digit>\"}";
String encPayload = getEncryptedPayload(payload, keyId);
System.out.println(encPayload);
//In order to decrypt the encrypted response you get from API response, you can assign it to encryptedResponse variable for decrypting details.
String encryptedResponse = "";
String decryptedResponse = getDecryptedPayload(encryptedResponse, String.class);
System.out.println(decryptedResponse);
}
public static T getDecryptedPayload(String response, Class returnType) {
T decryptedResponse = null;
try {
JWEObject jweObject = JWEObject.parse(response);
//If you have used passphrase while generating the csr make sure you the same while getting the private key. Otherwise decryption will fail.
jweObject.decrypt(new RSADecrypter(getRSAPrivateKey()));
response = jweObject.getPayload().toString();
ObjectMapper mapper = new ObjectMapper();
decryptedResponse = mapper.readValue(response, returnType);
} catch (Exception e) {
e.printStackTrace();
}
return decryptedResponse;
}
private static PrivateKey getRSAPrivateKey() throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
String pemFilePath = "";
FileReader fileReader = new FileReader(pemFilePath);
PEMParser pemParser = new PEMParser(fileReader);
try {
Object pemObject = pemParser.readObject();
if (pemObject instanceof PEMKeyPair) {
PEMKeyPair pemKeyPair = (PEMKeyPair) pemObject;
JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
KeyPair keyPair = converter.getKeyPair(pemKeyPair);
if (keyPair != null) {
return keyPair.getPrivate();
} else {
throw new IllegalArgumentException("The PEM file does not contain a valid private key.");
}
} else {
throw new IllegalArgumentException("The PEM file does not contain a private key.");
}
} finally {
pemParser.close();
fileReader.close();
}
}
//Make sure you are reading and passing the correct keyId from credentials. This is required and is passed in headers.
public static String getEncryptedPayload(Object payload, String keyId) throws Exception {
ObjectMapper mapper = new ObjectMapper();
mapper.setSerializationInclusion(Include.NON_NULL);
mapper.setSerializationInclusion(Include.NON_EMPTY);
String plainText = payload == null ? "" : mapper.writeValueAsString(payload);
JWEHeader.Builder headerBuilder = new JWEHeader.Builder(JWEAlgorithm.RSA_OAEP_256, EncryptionMethod.A128GCM);
headerBuilder.keyID(keyId);
headerBuilder.customParam("iat", System.currentTimeMillis());
JWEObject jweObject = new JWEObject(headerBuilder.build(), new Payload(plainText));
jweObject.encrypt(new RSAEncrypter(getRSAPublicKey()));
return "{\"encData\":\""+jweObject.serialize()+"\"}";
}
/*
* Converts PEM file content to RSAPublicKey
*/
private static RSAPublicKey getRSAPublicKey() throws Exception {
String pemFilePath = "";
FileReader fileReader = new FileReader(pemFilePath);
PemReader pemReader = new PemReader(fileReader);
try {
PemObject pemObject = pemReader.readPemObject();
if (pemObject != null) {
if ("PUBLIC KEY".equalsIgnoreCase(pemObject.getType())) {
byte[] publicKeyBytes = pemObject.getContent();
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKeyBytes);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PublicKey publicKey = keyFactory.generatePublic(keySpec);
if (publicKey instanceof RSAPublicKey) {
return (RSAPublicKey) publicKey;
} else {
throw new IllegalArgumentException("The loaded key is not an RSAPublicKey.");
}
} else {
throw new IllegalArgumentException("The PEM file does not contain a public key.");
}
} else {
throw new IllegalArgumentException("No PEM data found in the file.");
}
} finally {
pemReader.close();
fileReader.close();
}
}
public static RSAPublicKey readPEMPublicKey(String pemFilePath) throws Exception {
FileReader fileReader = new FileReader(pemFilePath);
PemReader pemReader = new PemReader(fileReader);
try {
PemObject pemObject = pemReader.readPemObject();
if (pemObject != null) {
if ("PUBLIC KEY".equalsIgnoreCase(pemObject.getType())) {
byte[] publicKeyBytes = pemObject.getContent();
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKeyBytes);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PublicKey publicKey = keyFactory.generatePublic(keySpec);
if (publicKey instanceof RSAPublicKey) {
return (RSAPublicKey) publicKey;
} else {
throw new IllegalArgumentException("The loaded key is not an RSAPublicKey.");
}
} else {
throw new IllegalArgumentException("The PEM file does not contain a public key.");
}
} else {
throw new IllegalArgumentException("No PEM data found in the file.");
}
} finally {
pemReader.close();
fileReader.close();
}
}
}
```
#### Python Code Snippet:
```python
# Note: The input payload for encrypt method should be a json object
from jwcrypto import jwk, jwe
import json
import time
from calendar import timegm
from datetime import datetime
from hashlib import sha256
import hmac
def encrypt(payload):
# config = Configuration()
payload = json.dumps(payload)
protected_header = {
"alg": "RSA-OAEP-256",
"enc": "A128GCM",
"kid": ""
}
jwetoken = jwe.JWE(payload.encode('utf-8'),
recipient=loadPem(''),
protected=protected_header)
encryptedPayload = jwetoken.serialize(compact=True)
return json.dumps({"encData": encryptedPayload})
def loadPem(filePath):
with open(filePath, "rb") as pemfile:
return jwk.JWK.from_pem(pemfile.read())
def decrypt(encPayload):
if type(encPayload) is str:
payload = json.loads(encPayload)
if payload.get('encData', False):
jwetoken = jwe.JWE()
jwetoken.deserialize(payload["encData"], key=loadPem(''))
return json.dumps(json.loads(jwetoken.payload))
return encPayload
#Command to encrypt card details
print(encrypt('{"cardNumber": "","expMonth": "","expYear": "","cardSecurityCode": "<3 digits/ 4 digits>"}'))
#Command to get the decrypted details
print(decrypt('{"encData": ""}'))
```
> **Warning**
> For latest update on guidelines, please refer to the RBI website or your banking partner