Versions Compared

Version Old Version 1 New Version 2
Changes made by

Ramzi Henein (Unlicensed)

Ramzi Henein (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Due to privacy concerns and the fact that the NAS does not support encryption at rest, The RGI exchange will use an encrypted file. Given that:

  • the files can be large,
  • the exchange happens behind the firewall

a shared secret (symmetric key) encryption will be sufficient.

Encryption Mechanism

Use AES cypher to encrypt and decrypt the file. This is supported by openssl and Java crypto implementations.

Code Block
languagebash
titleEncrypt
[desktop@luxor RgiEnc]$ openssl rand -base64 128 > rgikey
[desktop@luxor RgiEnc]$ cat rgikey
optygS6e4C23kNgzpelDIG3pza8xAplkyEMXGXzZwIGV7oXyEMVS8ARyiRmJ+9Ea
OpSH3dQc1HnzCtXRvs2QaNqxZWWAAxz46MbtYlmFmKdNqad8OVn8GYYHA6h5GKYk
emMBxXuaPB3itVqEnIGS76M2sVf9qtZAA9H4VQ24TPE=
[desktop@luxor RgiEnc]$ openssl enc -aes-256-cbc -salt -iter 1000 -in FakeNames.txt -out FakeNames.enc -pass file:rgikey


Code Block
languagebash
titleDecrypt
[desktop@luxor RgiEnc]$ openssl enc -d -aes-256-cbc -salt -iter 1000 -in FakeNames.enc -out FakeNames.csv -pass file:rgikey


The challenge with a shared secret is the exchange of the key.

Key Sharing

Shared via Secure Exchange

SSHA generates the shared key and passes the key to TIS which adds the key to a property file

Java Keytool

The Java Keytool




Generate Keys in

Code Block
languagebash
titleKey Pair
[desktop@luxor RgiEnc]$ openssl version
OpenSSL 1.1.1d FIPS  10 Sep 2019
[desktop@luxor RgiEnc]$ openssl genrsa -des3 -out secret.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.................................................................................+++++
......................................................................................+++++
e is 65537 (0x010001)
Enter pass phrase for secret.key:
Verifying - Enter pass phrase for secret.key:
[desktop@luxor RgiEnc]$ openssl rsa -in secret.key -out public.key -outform PEM -pubout
Enter pass phrase for secret.key:
writing RSA key
Code Block
languagebash
titleEncrypt
[desktop@luxor RgiEnc]$ openssl rand -base64 128 > rgikey
[desktop@luxor RgiEnc]$ cat rgikey
optygS6e4C23kNgzpelDIG3pza8xAplkyEMXGXzZwIGV7oXyEMVS8ARyiRmJ+9Ea
OpSH3dQc1HnzCtXRvs2QaNqxZWWAAxz46MbtYlmFmKdNqad8OVn8GYYHA6h5GKYk
emMBxXuaPB3itVqEnIGS76M2sVf9qtZAA9H4VQ24TPE=
[desktop@luxor RgiEnc]$ openssl enc -aes-256-cbc -salt -iter 1000 -in FakeNames.txt -out FakeNames.enc1 -pass file:rgikey
[desktop@luxor RgiEnc]$ openssl rsautl -encrypt -inkey public.key -pubin -in rgikey -out rgikey.en