IDES Interactive Knowledge Base

Step 4 Encrypt the AES Key with Public Key of Recipient

Last Updated: Jul 26, 2016 02:09PM CDT
Step 4 - Encrypt the AES Key with Public Key of Recipient

The next step is to encrypt the AES key with the public key of each recipient. The file is encrypted to protect the AES key. All FATCA partners must validate the recipient’s X.509 Digital Certificate to an approved CA. An X.509 Digital Certificate contains the public key for each FATCA partner, including the IRS, and is retrieved from the IDES Enrollment site.
 
Encrypt AES Key with Public Key:
Process Description File Naming Convention
Validate Certificate
  • To validate certificate: 
  1. Verify the certificate chain;
  2. Check the revocation status of the certificate chain. There are two methods:
    • Retrieve a Certificate Revocation List (CRL) or
    • Send an Online Certificate Status Protocol (OCSP) query to a CA designated responder
N/A
Encrypt the AES Key
  • After validating the certificate, use the public key from the recipient’s certificate to encrypt the AES 256 key.
  • The public key encryption uses the standard RSA algorithm. While performing AES encryption, there are several settings and options depending on the tool used. IRS recommended settings should be used to maintain compatibility:
    • Padding: PKCS#1 v1.5
    • Key Size: 2048 bits
  • The encrypted file name is “FATCAEntityReceiverId_Key”. “FATCAEntityReceiverId” is the 19-character GIIN of the recipient of this AES key
FATCAEntityReceiverId_Key
Summary
  • FATCA reporting with one recipient will have two encrypted files. The files are case sensitive and any variation in file name or format will cause the transmission to fail:
  1. Symmetric encryption - the AES 256 encrypted FATCA XML file name is “FATCAEntitySenderId_Payload”
  2. Asymmetric encryption - the public key encrypted AES 256 key file name is “FATCAEntityReceiverId_Key”
N/A

Table 6 – Process to encrypt an AES key with a public key.

Note: For most FIs and HCTAs, (e.g., Model 1 (Non-Reciprocal), Model 2 and non-IGA) the IRS is the only recipient.

Step 4a - Encrypt the AES Key – Model 1, Option 2

Under IGA, Model 1, Option 2, an FI submits a FATCA XML file to IDES. The HCTA reviews and releases or denies the file to the IRS.  The HCTA and the IRS will decrypt the same FATCA XML file. The FI creates a duplicate of the original AES 256 key.  The duplicate AES 256 key is encrypted with the HCTA Public Key. 
 
Encrypt AES Key – Model 1, Option 2:

 
Process Description File Naming Convention
Validate Certificate
  • See Step 4 – Validate Certificate
 
Encrypt the AES Key
  • After validating the certificate, use the public key from the recipient’s certificate to encrypt the AES 256 key.
  •  The encrypted file name should be “FATCAEntityReceiverId_Key”. “FATCAEntityReceiverId” is the 19-character GIIN of the recipient of this AES key
FATCAEntityReceiverId_Key
Encrypt the AES Key
  • Encrypt the AES key with the public key of the approving HCTA
  • The encrypted file name is “HCTAGIIN_Key”, where “HCTAGIIN” is the GIIN of the HCTA recipient of this AES key
HCTAGIIN_Key
Summary
  • FATCA reporting with two recipients should have three encrypted files. The files are case sensitive and any variation in file name or format will cause the transmission to fail:
  1. Symmetric encryption - the AES 256 encrypted FATCA XML file name is “FATCAEntitySenderId_Payload”
  2. Asymmetric encryption - the public key encrypted AES 256 key file name is “FATCAEntityReceiverId_Key”
  3. Asymmetric encryption - the public key encrypted AES 256 key file name is “HCTAGIIN_Key”
N/A

Table 7 – Process for a Model 1 Option 2 FI to encrypt an AES key.

Resources:
1 - Basic overview of X.509 Certificates and filename extensions

2 - Overview by Oracle “The Public Key Infrastructure Approach to Security”
3 - CA perspective of Public Key Infrastructure
4 - Microsoft “Securing Public Key Infrastructure (PKI)”
5 - FATCA IDES Technical FAQ
6 - FATCA XML Schemas and Business Rules for Form 8966
7 - FATCA FAQ General

Examples:
1 - "Oracle Configuring and Using Certificate Management” describes Key and Certificate Management using openssl and keytool commands

2 - "Encrypting files with Public Key Encryption in Java” provides an example of AES256 generation and encrypting the AES256 Key using a RSA Public Key.
8cbd1ad8a75f68469f58a890843cbdbe@ides.desk-mail.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete