Entrust Digital Card Solution employs numerous security measures, one of which includes JWE (JSON Web Encryption).


What is JWE Key?

The key is utilized to decrypt and confirm the integrity of sensitive fields that originate from the issuer.


Who generated it?

Entrust to generate MESSAGE_IN_JWE_KP which is key-pair (public key and private key) for incoming message.

Issuer to generate MESSAGE_OUT_JWE_PUK which is also a key-pair while only public key has been shared to Entrust for outgoing message from Entrust DCS Back End. 


Sensitive fields of the messages are encrypted using a single-use symmetric Content Encryption Key (CEK), itself encrypted with the recipient’s public key.

  • Messages sent to the Entrust Back-end will be encrypted using the public key of the key pair generated on Entrust platform. The public key is provided to the Issuer during onboarding, and we are renewing the key periodically.

  • Messages sent from the Entrust Back-end and responses from the Entrust Back-end will be encrypted with the Issuer public key, imported on the Entrust Back-end during onboarding.



What is this for?

The sensitive fields such as PAN and card cryptogram are encrypted using JWE (JSON Web Encryption). 


How does it work?

- The sender uses the recipient’s public key to encrypt the Content Encryption Key (CEK).
- The sender then uses the CEK to encrypt the actual payload with symmetric encryption.
- The encrypted CEK and the encrypted payload are sent to the recipient as part of the JWE.


The recipient then uses their private key to decrypt the CEK and subsequently uses the CEK to decrypt the payload. The private key is never shared or transmitted; it remains securely with the recipient. 


The sender only needs the recipient’s public key and the generated CEK for the encryption process. This ensures that only the recipient, who has the private key, can decrypt the message.


Read more

API conventions and security