1. what is crypto binary action? difference between encrypt and crypto binary operation. will it do symmetric encryption
2. Can we generate symmetric shared key on appliance without using dp function
inestlerode 270001CUTT166 Posts
Re: few questions regarding crypto2013-02-06T19:28:49ZThis is the accepted answer. This is the accepted answer.The cryptobin action is for doing cryptography in the PKCS#7 and/or S/MIME formats. By contrast the other crypto actions are for doing cryptography in XML format (using XML DSIG, XML Encryption, and WS-Security specs).
The cryptobin action does not have support for doing raw symmetric encryption with no public keys. Its encryption always uses (and expects) the hybrid approach associated with the PKCS#7 envelopedData type. It will generate an ephemeral symmetric key that is used to encrypt the payload and then it will use an RSA public key to encrypt a copy of this ephemeral key that is sent along with the encrypted payload. The XML crypto actions also do something very similar by default (mixture of RSA and an ephemeral symmetric key).
So cryptobin is not useful if you are trying to do symmetric encryption without RSA, but then again it is rarely a good idea to do such a thing from a security perspective.
You can generate a symmetric shared key using dp:generate-key or dp:random-bytes. Or you can generate one somewhere else and then put it in a file and use it in a Shared Secret Key object. But that generation (with dp: XSLT extension functions) would have to be done off box as we don't provide a command to do that part other than the extension functions.