Asymmetric data encryption has been added in version 141 of the bridge as well as plugins that can be built using the plugin builder. Data is encrypted using the OAEP (Optimal Asymmetric Encryption Padding) protocol, which provides reliable security and resistance to attacks.

When exchanging data between API2Cart and the server on which the bridge or plugin is installed, there is a risk of interception of this data. Especially if the data is not transmitted over a secure HTTP protocol, an attacker can gain unauthorized access to the database. In addition, if the attacker somehow learns the store_key, he can directly interact with the store through the bridge, bypassing API2Cart. To prevent this from happening, we implemented asymmetric data encryption.

Here's how it works:

• when downloading a bridge or installing a plugin generated by the plugin builder, a pair of keys is generated: a public key for encryption (contained in the bridge file) and a private key for decryption (added and known only to API2Cart). Each new store will have an individual key.
• data transmitted to the bridge is encrypted using a private key.
• when receiving data from API2Cart, the bridge decrypts the data, and the bridge executes the necessary scripts.
• the received results are encrypted using a public key and sent to API2Cart, where they are decrypted using a private key.

This algorithm does not lead to significant delays in the execution of requests or additional load on the server and is a reliable tool for protecting confidential data during its exchange between parties.

Its main advantages:

• Encrypted communication channel prevents interception of confidential data.
• Protection against store_key exposure; an attacker will not be able to perform requests directly to the bridge/plugin even if he knows the store_key.

Posted in: General Service Questions