RSA Authentication

The RSA authentication method is almost identical to HMAC. The only difference is that it uses an RSA private key to sign the String-to-Hash and a RSA public key to validate that the signature is valid. RSA keys provide a more secure way of signing your auth headers than using a password. While a password can eventually be cracked with a brute force attack, RSA keys are nearly impossible to decipher by brute force alone. The downside of using RSA to sign API calls, is that RSA signatures require a lot more CPU resources (up to ~250 times) than HMAC hashing.

Generate an RSA Key Pair

The following section outlines the steps involved in generating an RSA key pair with OpenSSL. We recommend that you generate a 2048 bit key pair as 1024 bit keys are no longer considered secure and 4096 bit keys consume considerable CPU resources when signing API calls.

  1. Generate a 2048-bit RSA private key and write it to a file private.pem.
#Output an RSA private key with 2048 bit protection.
openssl genrsa -out private.pem 2048
  1. Generate a PKCS8 formatted file from the private key and write it to file private8.pem. The private8.pem file must be used in the RSA-DIGEST function to sign the requests.
#Generate a pk8 file from the private key.
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private.pem -out private8.pem
  1. Generate the public key file from the private key and write it to a file public.pem.
#Generate a public key from the private key.
openssl rsa -in private.pem -outform PEM -pubout -out public.pem

Build an RSA Authentication Header

Now that you know how to create a public and a private key, You must send the public key to Bluefin, and keep the private key on your server.

Property Description
username This property must be set to your partnerId.
nonce This property must be set to a nonce. A nonce can be any arbitrary string, however each nonce can be used only once once over a 15 minute period. Our service keeps a record of these nonces; if a nonce is encountered more than once during a 15 minute period the API call is rejected and an auth error response is produced. It is up to you to keep the nonce unique.
timestamp A unix timestamp. Our service will reject API calls with a timestamp older than 15 minutes.
response The response property is an RSA private key signature of a number of the API call's properties.

Decryptx Parser Examples in Certification

How to construct RSA Authentication headers for Decryptx Parser requests