Encrypting Passed Parameters

The parameters included in your Upsell Flow Pages, Vendor-Provided Confirmation Pages, and Thank You Page URLs can include personally identifiable information (PII). You can enable encryption for these parameters to provide additional security. If you do so, you must decrypt the parameters to access the information.

The following subjects are covered in this article:

Encryption Algorithm

ClickBank uses the CBC-AES-256 encryption algorithm to secure the parameters. This helps prevent customer information from being passed in clear text The parameters are encrypted using a secret key, of up to 16 characters, and an initialization vector. The encrypted text is then encoded using the java.net URL encoder.

If you enable encryption, you must decode and unencrypt the parameters using the initialization vector and your secret key before you can process them.

See the Instant Notification Service article's Code Samples section for example methods for unencrypting parameters.

Encrypted Parameter Format

The base format for a URL with encrypted parameters is:

http://<Pitch Page, Thank You Page, or Confirmation Page URL>/?<other variables>&iv=ENCODED_IV_VALUE&params=ENCODED_AND_ENCRYPTED_PARAMETERS

Testing Encryption

You can encrypt PII for test transactions only, to verify that your decryption is working before you encrypt PII for live data.

  1. Log in to your ClickBank account.
  2. Click the Settings tab.
  3. Click My Site.
  4. Locate the Advanced Tools Editor section and click Edit.
  5. Click the Encrypt TEST Transaction URLs checkbox.
  6. Enter a secret key if you do not have one. Your secret key can be up to 16 characters long, including digits and capital letters.
  7. Click Save Changes.
    Your Upsell Flow Page, Thank You Page, and Vendor-Provided Confirmation Page URLs for test transactions are now encrypted.

Enabling Encryption

  1. Log in to your ClickBank account.
  2. Click the Settings tab.
  3. Click My Site.
  4. Locate the Advanced Tools Editor section and click Edit.
  5. Click the Encrypt Transaction URLs checkbox.
  6. Enter a secret key if you do not have one. Your secret key can be up to 16 characters long, including digits and capital letters.
  7. Click Save Changes.
    Your Upsell Flow Page, Thank You Page, and Vendor-Provided Confirmation Page URLs are now encrypted.

Code Samples

Java Decryption Code Sample

The following code sample uses Java to decode and decrypt the Upsell Flow parameters.

NOTE – This code sample is included as an example. It may require modification to work with your environment.

package com.package.name;

import java.net.URLDecoder;
import java.security.MessageDigest;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.Hex;
import org.json.JSONObject;
import org.json.JSONTokener;
import org.junit.Test;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.fail;

public class Decrypt {

public static String decryptAESWith256BitKey(final String encryptedString, final String secretKey, final String iv) throws Exception {
try {
final MessageDigest digest = MessageDigest.getInstance("SHA-1");
digest.reset();
digest.update(secretKey.getBytes("UTF-8"));
final String key = new String(Hex.encodeHex(digest.digest())).substring(0, 32);

final IvParameterSpec ivParameterSpec = new IvParameterSpec(Base64.decodeBase64(iv));
final SecretKeySpec keySpec = new SecretKeySpec(key.getBytes(), "AES");
final Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, keySpec, ivParameterSpec);

return new String(cipher.doFinal(Base64.decodeBase64(encryptedString)));
} catch(final Exception ex) {
throw new Exception("Unable to decrypt string: " + ex.getMessage(), ex);
}
}


@Test
public void testUrlDecryption() {

final String encryptedUrl = "http://www.example.com/download.html"
+ "?iv=OTc4NDcxMDdBMDc2NjY4OQ%3D%3D"
+ "&params=53OG25PsV%2FYXr16cluQx6CSZ9mEovQm9plTbd0RztlBQM8czOyrT%2BTV0iWJmhz0fYc6YgKhOlEmWKUYHg"
+ "QvLgxgCKeN4MGNyJnbj%2FqiCfR6Ddyv38ecrz%2Fd1OlJqgABN9x1aGSe23%2Br4NIvh26HRtCewy1ELq%2BmL%2FaXp"
+ "YySCuJpRUL5ynS3msYl5nI7i4PGHv27zb8F38hwy%2F05Ly1XeEyVN%2BprpO2yXz8PnLoLGkCYot%2FcFqd622%2BO13ATo5fK7";

try {
// Expected URL format: [/URL/...]iv=SOME_IV_VALUE&params=ENCRYPTED_PARAMS
final String[] vals = encryptedUrl.split("[&=]");
final String encryptedString = URLDecoder.decode(vals[vals.length-1], "UTF8");
final String iv = URLDecoder.decode(vals[vals.length-3], "UTF8");

final String decryptedString = decryptAESWith256BitKey(encryptedString, "MYSECRETKEY", iv);

final JSONObject jsonParams = new JSONObject(new JSONTokener(decryptedString));
assertEquals("JohnDoe", jsonParams.get("cname"));
assertEquals("john@doe.com", jsonParams.get("cemail"));
} catch(final Exception ex) {
fail("Decryption failed: " + ex.getMessage());
}
}
}

PHP Decryption Code Sample

The following code sample uses PHP to decode and decrypt the Upsell Flow parameters.

NOTE – This code sample is included as an example. It may require modification to work with your environment.

<!DOCTYPE html>
<html>
<head>
<title>test</title></head>
<body>

<?php


// NOTE: the mcrypt libraries need to be installed and listed as an
// available extension in your phpinfo() to be able to use this
// method of decryption.

// Pull out the encrypted params
$encrypted = urldecode($_GET['params']);
print "ENCRYPTED: $encrypted\n";

// initialization vector (IV)
// An arbitrary number that can be used along with a secret key for data encryption.
// This number, also called a nonce, is employed only one time in any session.

$iv = urldecode($_GET['iv']);
print "IV: $iv\n";

// secret key from your ClickBank account
$secretKey = "GSST13ZFSR48JZ";

// decrypt the body...
$decrypted = trim(
mcrypt_decrypt(MCRYPT_RIJNDAEL_128,
substr(sha1($secretKey), 0, 32),
base64_decode($encrypted),
MCRYPT_MODE_CBC,
base64_decode($iv)), "\0..\32");
print("Decrypted: $decrypted");

// ////UTF8 Encoding, remove escape back slashes, and convert the decrypted string to a JSON object...
// $sanitizedData = utf8_encode(stripslashes($decrypted));
// $order = json_decode($decrypted);

?>

</body>
</html>
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk