Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Due to privacy concerns and the fact that the NAS does not support encryption at rest, The RGI exchange will use an encrypted file. Given that:

  • the files can be large,
  • the exchange happens behind the firewall

a shared secret (symmetric key) encryption will be sufficient.

Symmetric Encryption Method

The AES cypher is secure enough and fast enough for your purposes. Further is supported by openssl and Java crypto implementations.

The following is an OpenSSL example

Encrypt
[desktop@luxor RgiEnc]$ openssl rand -base64 128 > rgikey
[desktop@luxor RgiEnc]$ cat rgikey
optygS6e4C23kNgzpelDIG3pza8xAplkyEMXGXzZwIGV7oXyEMVS8ARyiRmJ+9Ea
OpSH3dQc1HnzCtXRvs2QaNqxZWWAAxz46MbtYlmFmKdNqad8OVn8GYYHA6h5GKYk
emMBxXuaPB3itVqEnIGS76M2sVf9qtZAA9H4VQ24TPE=
[desktop@luxor RgiEnc]$ openssl enc -aes-256-cbc -salt -iter 1000 -in FakeNames.txt -out FakeNames.enc -pass file:rgikey
Decrypt
[desktop@luxor RgiEnc]$ openssl enc -d -aes-256-cbc -salt -iter 1000 -in FakeNames.enc -out FakeNames.csv -pass file:rgikey

Key Generation

Because SSHA is encrypting the file, SSHA will take on the responsibility for generating the shared key.

Key Sharing

The challenge with a shared secret is the exchange of the key.

Shared via Secure Exchange

SSHA generates the shared key and passes the key to TIS which adds the key to a property file in websphere

Keystore

The shared key is generated using the Java Keytool and is saved in a password protected keystore (using a store type of PKCS12).

SSHA extracts the key from the store and uses it

Generate Keys in

Key Pair
[desktop@luxor RgiEnc]$ openssl version
OpenSSL 1.1.1d FIPS  10 Sep 2019
[desktop@luxor RgiEnc]$ openssl genrsa -des3 -out secret.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.................................................................................+++++
......................................................................................+++++
e is 65537 (0x010001)
Enter pass phrase for secret.key:
Verifying - Enter pass phrase for secret.key:
[desktop@luxor RgiEnc]$ openssl rsa -in secret.key -out public.key -outform PEM -pubout
Enter pass phrase for secret.key:
writing RSA key
  • No labels