Dataset Decryption

Zero-Trust Encryption

Some of the datasets available on FusionFabric.cloud contain encrypted data. You must decrypt the data before being able to use it for your business use case.

The data is encrypted with a combination of asymmetric and symmetric algorithms that makes the process work as an end-to-end zero-trust strategy. At one end there is the financial institution providing the encrypted data. At the other end there is you - the fintech consuming the data.

FusionFabric.cloud acts as a facilitator for the exchange of the decryption context. It has no access to the encrypted data, neither is able to decrypt it. Therefore, it is just you who can decrypt the data that you subscribed to.

The data is encrypted at field level. Each field is encrypted by AES256-GCM with a symmetric key - the Data Encryption Key (DEK). The resulted string is the concatenation of the Base64 encoded initialization vector (IV) and the Base64 encoded cipher text - the encrypted data.

Dataset Decryption Process

The decryption process is depicted in the following diagram.

Dataset decryption

The decryption process starts by registering your public key to FusionFabric.cloud. You do that by submitting a JSON web key to the application that you registered with the encrypted dataset. The submitting process, including how to generate a JSON web key, is described in the JSON Web Key section.

Then you get the encrypted dataset through the steps described in the Dataset Subscription section.

Through the Dataset Consumption Support API you request the decryption context, based on your tenant, dataset ID and file name. You retrieve the key encryption key (KEK) for each encrypted field of your dataset along with an identification key - named $tenant$_secret_version, based on the tenant to which the dataset applies.

The Dataset Consumption Support API is automatically added to your application that contains an encrypted dataset.

The $tenant$_secret_version key is used to identify the secret, named E_dataset_$tenant$_secret, that was encrypted by the financial institution with the public key that you submitted through your application.

Each KEK is computed by FusionFabric.cloud, while the $tenant$_secret_version - E_dataset_$tenant$_secret pair is provided by the core system instance that is supplying your dataset.

You decrypt the E_dataset_$tenant$_secret key with the private key paired to the public key that you submitted through the application. This decrypted key, named dataset_$tenant$_secret, was generated by the financial institution for the purpose of allowing you to compute the symmetric key that you will use to decrypt the dataset.

For performance reasons, it is recommended that you cache the pair $tenant$_secret_version - dataset_$tenant$_secret into your app.

With the dataset_$tenant$_secret key you compute the data encryption key (DEK) by applying an HMAC_SHA256 hash transformation to each of the dataset field KEK.

In the end, you parse each row and field value to extract the cipher text that you decrypt with the DEK that you previously computed.

Python Package

A Python package is available for you on Github - fusionfabric/dataset-decryption.

Download or clone it and follow the instructions from Readme.md to learn how to use it to decrypt the datasets you get from FusionCreator.