Crypto Primer

Crypto Example Project

The attached demo project will provide an example implementation of the EC_v1 encryption.

Click this link to download the zip file.


Zip file download is currently not available.


Encryption Workflow Summary Sensitive data sent in any API call will be field-level encrypted using Elliptic Curve Diffie-Hellman (id-ecDH A standard P-256 curve will be used.

UTF-8 encoded bytes of the plaintext JSON "data" dictionary shall be encrypted and included as a Base64 encoded string in the actual JSON payload sent. Field level encryption shall use AESā€“256 (id-aes256-GCM), with an initialization vector (IV) of 16 null bytes and no associated authentication data (AAD).

Cipher Parms To Get Instance


Encryptioan Version "EC_v1" Key Derivation Function

Use the key derivation function (KDF) described in NIST SP 800-56A, section 5.8.1, with the following input values:

Input NameValue
Hash FunctionSHA-256
ZThe shared secret calculated above using ECDH
Algorithm IdThe byte (0x0D) followed by the ASCII string "id-aes256-GCM". The first byte of this value is an unsigned integer that indicates the stringā€™s length in bytes; the remaining bytes are a variable-length string.
Party U InfoThe ASCII string "YourProgramCodeHere". This value is a fixed-length string
Party V InfoThe SHA-256 hash of the UTF-8 encoded bytes of the X-GD-Request-Id value
Supplemental Public and Private InfoUnused

Extract the embedded file and import it into a workspace. Maven can be used to retrieve dependencies. It is incumbent on the developer to update the project with required jar files until the project compiles in their environment.

The two projects in this project can be run after the Maven Update completes.

Sample application demonstrating encrypt to self, instead of for Green Dot, and decrypt operations using same key pair to provide reference for handling decrypt which needs to also handle parsing of ephemeral public key.

Working implementation to encrypt data targeting our sandbox public key, which is also included in the project. Again, upon execution, you will see console output.

After the encryption code has been run, a JSON payload is produced to the console tab, which can be posted over to PIE with a valid auth token from using sandbox credential to confirm able to decrypt.