How Alipay Secures Payments: Deep Dive into RSA Signatures and AES Encryption

Payments are a high‑security scenario where any data leakage between systems can cause massive loss, so every piece of data exchanged during a payment is encrypted.

What is a Signature?

Before discussing signatures, the payment interaction process can be divided into six steps:

User selects a product and submits an order.

The merchant server sends product information and the required amount to Alipay, generating an Alipay order.

After the order is created, Alipay returns a payment page for mobile or web payment.

The user launches the Alipay app to pay.

The user enters the payment password, which is sent to Alipay's server.

Alipay confirms the transfer and notifies the merchant server that the amount has been transferred successfully.

Among these steps, steps 2 and 6 are the most critical because they involve sensitive data exchange.

During the interaction between the merchant server and Alipay, the information is highly sensitive, so a digital signature is required to prevent man‑in‑the‑middle tampering. In Alipay’s API, the sign parameter holds the signature, which is used to prevent information forgery.

Signature Implementation Principle

2.1 Signature Principle

Digital signatures rely on a pair of keys. The signing process is:

Compute a hash of the document to be signed (e.g., SHA‑256).

Encode the hash together with additional metadata so the receiver knows which hash algorithm was used.

Encrypt the encoded data with the private key; the result is the signature.

Verification (验签) involves the receiver recomputing the hash, decrypting the signature with the public key, and comparing the two hashes.

2.2 Asymmetric Encryption

Alipay uses RSA asymmetric encryption for signatures. A public key and a private key are used; the private key encrypts the data (creates the signature) and only the corresponding public key can decrypt it. The merchant keeps its private key (similar to a database password) and shares its public key with Alipay. Alipay also provides an Alipay public key. Two sets of RSA keys are used:

One set secures the request in step 2 (order creation).

The other set secures the callback in step 6 (transfer confirmation).

During step 2, the merchant server uses its application private key ( priv key 2) to sign the request; Alipay verifies it with the application public key ( pub key 2). In step 6, Alipay signs the callback with its private key ( priv key 6) and the merchant verifies it with Alipay’s public key ( pub key 6).

3. Symmetric Encryption

While signatures prevent tampering, they cannot stop an attacker from reading the data. For example, in step 2 the transaction amount could be intercepted. Therefore, HTTPS is recommended for encrypted transmission, and many Alipay interfaces also support AES encryption of the request payload.

If the OpenAPI does not include bizContent parameters, AES key encryption cannot be used; otherwise an error is returned indicating the API does not support encrypted requests.

4. Relationship Between AES and RSA

AES keys encrypt request and response bodies, making ciphertext unreadable to third parties.

RSA keys sign request and response bodies, allowing both parties to verify that the content has not been altered, regardless of whether the content is plaintext or ciphertext.

Developers can first encrypt parameters with AES and then sign the ciphertext with RSA.

If this information helped you, feel free to give a like.