1. what is crypto binary action? difference between encrypt and crypto binary operation. will it do symmetric encryption
2. Can we generate symmetric shared key on appliance without using dp function
This topic has been locked.
2 replies Latest Post - 2013-02-06T19:28:49Z by inestlerode
Pinned topic few questions regarding crypto
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2013-02-06T19:28:49Z at 2013-02-06T19:28:49Z by inestlerode
inestlerode 270001CUTT166 PostsACCEPTED ANSWER
Re: few questions regarding crypto2013-02-06T19:28:49Z in response to msmpsThe cryptobin action is for doing cryptography in the PKCS#7 and/or S/MIME formats. By contrast the other crypto actions are for doing cryptography in XML format (using XML DSIG, XML Encryption, and WS-Security specs).
The cryptobin action does not have support for doing raw symmetric encryption with no public keys. Its encryption always uses (and expects) the hybrid approach associated with the PKCS#7 envelopedData type. It will generate an ephemeral symmetric key that is used to encrypt the payload and then it will use an RSA public key to encrypt a copy of this ephemeral key that is sent along with the encrypted payload. The XML crypto actions also do something very similar by default (mixture of RSA and an ephemeral symmetric key).
So cryptobin is not useful if you are trying to do symmetric encryption without RSA, but then again it is rarely a good idea to do such a thing from a security perspective.
You can generate a symmetric shared key using dp:generate-key or dp:random-bytes. Or you can generate one somewhere else and then put it in a file and use it in a Shared Secret Key object. But that generation (with dp: XSLT extension functions) would have to be done off box as we don't provide a command to do that part other than the extension functions.