Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Due to privacy concerns and the fact that the NAS does not support encryption at rest, The RGI exchange will use an encrypted file. Given that:

  • the files can be large,
  • the exchange happens behind the firewall

a shared secret (symmetric key) encryption will be sufficient.

Encryption Mechanism

Use AES cypher to encrypt and decrypt the file. This is supported by openssl and Java crypto implementations.

Encrypt
[desktop@luxor RgiEnc]$ openssl rand -base64 128 > rgikey
[desktop@luxor RgiEnc]$ cat rgikey
optygS6e4C23kNgzpelDIG3pza8xAplkyEMXGXzZwIGV7oXyEMVS8ARyiRmJ+9Ea
OpSH3dQc1HnzCtXRvs2QaNqxZWWAAxz46MbtYlmFmKdNqad8OVn8GYYHA6h5GKYk
emMBxXuaPB3itVqEnIGS76M2sVf9qtZAA9H4VQ24TPE=
[desktop@luxor RgiEnc]$ openssl enc -aes-256-cbc -salt -iter 1000 -in FakeNames.txt -out FakeNames.enc -pass file:rgikey


Decrypt
[desktop@luxor RgiEnc]$ openssl enc -d -aes-256-cbc -salt -iter 1000 -in FakeNames.enc -out FakeNames.csv -pass file:rgikey


The challenge with a shared secret is the exchange of the key.

Key Sharing

Shared via Secure Exchange

SSHA generates the shared key and passes the key to TIS which adds the key to a property file

Java Keytool

The Java Keytool

Generate Keys in

Key Pair
[desktop@luxor RgiEnc]$ openssl version
OpenSSL 1.1.1d FIPS  10 Sep 2019
[desktop@luxor RgiEnc]$ openssl genrsa -des3 -out secret.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.................................................................................+++++
......................................................................................+++++
e is 65537 (0x010001)
Enter pass phrase for secret.key:
Verifying - Enter pass phrase for secret.key:
[desktop@luxor RgiEnc]$ openssl rsa -in secret.key -out public.key -outform PEM -pubout
Enter pass phrase for secret.key:
writing RSA key
  • No labels