Key Material
Upon receiving approval for the consent sought from the consumer via a consent artefact sent by the AA (Account Aggregator), an FIU may initiate a Data Request. The Data Request comprises the details of the consent and key material that is to be shared with the FIP to encrypt the data sent in response. The Data Request is digitally signed by the FIU.
The steps followed to generate the key material are -
1. The FIU generates an ephemeral Curve 25519 Key Pair comprising the FIU Public Key and the FIU Private Key. These keys are valid only for one data exchange session.
2. The FIU generates a 256-bit nonce.
3. The FIU combines the FIU Public Key, the nonce and the Curve name along with the consent details into a Message.
4. The FIU then generates a SHA-256 Hash of the Message and attaches that as the Digital Signature - Sig (f) – while transmitting the data request to the AA.
5. In addition, the FIU appends its permanent digital signature before transmitting the request to the AA.