Versions Compared

Version Old Version 4 New Version Current
Changes made by

Ramzi Henein (Unlicensed)

Ramzi Henein (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Due to privacy concerns and the fact that the NAS does not support encryption at rest, The RGI exchange will use an encrypted file. Given that:

  • the files can be large,
  • the exchange happens behind the firewall

a shared secret (symmetric key) encryption will be sufficient.

Table of Contents

Symmetric Encryption Method

The AES cypher is secure enough and fast enough for your purposes. Further is supported by openssl and Java crypto implementations.

The following is an OpenSSL example

Code Block
languagebash
titleEncrypt
[desktop@luxor RgiEnc]$ openssl rand -base64 128 > rgikey
[desktop@luxor RgiEnc]$ cat rgikey
optygS6e4C23kNgzpelDIG3pza8xAplkyEMXGXzZwIGV7oXyEMVS8ARyiRmJ+9Ea
OpSH3dQc1HnzCtXRvs2QaNqxZWWAAxz46MbtYlmFmKdNqad8OVn8GYYHA6h5GKYk
emMBxXuaPB3itVqEnIGS76M2sVf9qtZAA9H4VQ24TPE=
[desktop@luxor RgiEnc]$ openssl enc -aes-256-cbc -salt -iter 1000 -in FakeNames.txt -out FakeNames.enc -pass file:rgikey


Code Block
languagebash
titleDecrypt
[desktop@luxor RgiEnc]$ openssl enc -d -aes-256-cbc -salt -iter 1000 -in FakeNames.enc -out FakeNames.csv -pass file:rgikey

Key Generation

Because SSHA is encrypting the file, SSHA will take on the responsibility for generating the shared key.

Key Sharing

The challenge with a shared secret is the exchange of the key.

Option 1 - Shared via Secure Exchange

SSHA generates the shared key and passes the key to TIS which adds the key to a property file in WebSphere

Option 2 - Sharing the KeyStore

The shared key is generated using the Java Keytool and is saved in a password protected KeyStore (using a store type of PKCS12).

SSHA extracts the key from the store and uses it encrypt.

The WebSphere cell is configured to use the Keystore. The application extracts the shared key to use for the decryption.

Option 3 - Exchange the Shared Key using a Public / Private Key Pair

TIS generates a self signed private and public key pair and stores it in a KeyStore. The public key is shared with SSHA. Whenever the shared key is changed SSHA encrypts the shared key using the public key and stores the encrypted shared key in the NAS.

WebSphere is configured with the Keystore containing the public / private key. The application always picks up the encrypted shared key, decrypts the shared key using the private key and decrypts the file using the shared key.

The key pair must be regenerated on an annual basis.