• 2 replies
  • Latest Post - ‏2013-02-06T19:28:49Z by inestlerode
219 Posts

Pinned topic few questions regarding crypto

‏2013-02-05T19:03:34Z |
1. what is crypto binary action? difference between encrypt and crypto binary operation. will it do symmetric encryption
2. Can we generate symmetric shared key on appliance without using dp function
Updated on 2013-02-06T19:28:49Z at 2013-02-06T19:28:49Z by inestlerode
  • SystemAdmin
    6772 Posts

    Re: few questions regarding crypto

    2. For symmetric encryption, you can create Crypto Shared Secret Key object from Objects-> Crypto configuration
  • inestlerode
    166 Posts

    Re: few questions regarding crypto

    The cryptobin action is for doing cryptography in the PKCS#7 and/or S/MIME formats. By contrast the other crypto actions are for doing cryptography in XML format (using XML DSIG, XML Encryption, and WS-Security specs).

    The cryptobin action does not have support for doing raw symmetric encryption with no public keys. Its encryption always uses (and expects) the hybrid approach associated with the PKCS#7 envelopedData type. It will generate an ephemeral symmetric key that is used to encrypt the payload and then it will use an RSA public key to encrypt a copy of this ephemeral key that is sent along with the encrypted payload. The XML crypto actions also do something very similar by default (mixture of RSA and an ephemeral symmetric key).

    So cryptobin is not useful if you are trying to do symmetric encryption without RSA, but then again it is rarely a good idea to do such a thing from a security perspective.

    You can generate a symmetric shared key using dp:generate-key or dp:random-bytes. Or you can generate one somewhere else and then put it in a file and use it in a Shared Secret Key object. But that generation (with dp: XSLT extension functions) would have to be done off box as we don't provide a command to do that part other than the extension functions.