Topic
  • 4 replies
  • Latest Post - ‏2013-06-28T09:07:58Z by Rajediva
Rajediva
Rajediva
7 Posts

Pinned topic RSA 2048 Encryption in Datapower

‏2013-06-27T03:46:32Z |

Hi Folks,

I have a requirement as described below.

I have a WS proxy configured and a soap message coming in. The soap body has a set of fields that needs to be encrypted using RSA 2048 algorithm, as per the client requirements. And the final encrypted soap message will be sent to the provider.

I am confused about this RSA 2048 algorithm. How do i specify this in DP -  either through encrypt action or stylesheet.

I could see rsa-pkcs1 and rsa-oaep options in the encrypt action-advanced tab. But not sure which one should i go for so that i acheive a 2048 bit encrption.

Or can i make use of WS-Policy?

Can any of you guys help? If i could acheive the same thing using stylesheet, that will also do.

Thanks,

Rajediva

 

Updated on 2013-06-27T03:46:50Z at 2013-06-27T03:46:50Z by Rajediva
  • HermannSW
    HermannSW
    4903 Posts
    ACCEPTED ANSWER

    Re: RSA 2048 Encryption in Datapower

    ‏2013-06-27T07:43:50Z  

    What I know is that you should use encrypt action and not self-crafted stylesheet solutions based on DataPower crypto extension functions.
    Reason is that is really difficult to avaoid eg. oracle padding attacks, and the encrypt action already does all that for you.

    Also you should do standards based encryption. Your requirement of encryption several field "with RSA" is non-standard.

    Standards based encryption is done with symmetric encryption, only the symmetric encryption key gets RSA encrypted transferred to the other side.

    Find a wealth of information in redbook "IBM WebSphere DataPower SOA Appliances Part III: XML Security Guide":
    http://www.redbooks.ibm.com/abstracts/redp4365.html


    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>

  • inestlerode
    inestlerode
    166 Posts
    ACCEPTED ANSWER

    Re: RSA 2048 Encryption in Datapower

    ‏2013-06-27T18:47:38Z  

    If you want to use 2048-bit RSA then it is up to you to use a private key and certificate that are 2048-bit.  The algorithm names do not include the bit length, so there is no special configuration at the action level to say that you want to use 2048-bit RSA.  Just make a key and cert object that are 2048-bit RSA and then use this key/cert/idcred when configuring your encryption actions.

  • HermannSW
    HermannSW
    4903 Posts

    Re: RSA 2048 Encryption in Datapower

    ‏2013-06-27T07:43:50Z  

    What I know is that you should use encrypt action and not self-crafted stylesheet solutions based on DataPower crypto extension functions.
    Reason is that is really difficult to avaoid eg. oracle padding attacks, and the encrypt action already does all that for you.

    Also you should do standards based encryption. Your requirement of encryption several field "with RSA" is non-standard.

    Standards based encryption is done with symmetric encryption, only the symmetric encryption key gets RSA encrypted transferred to the other side.

    Find a wealth of information in redbook "IBM WebSphere DataPower SOA Appliances Part III: XML Security Guide":
    http://www.redbooks.ibm.com/abstracts/redp4365.html


    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>

  • Rajediva
    Rajediva
    7 Posts

    Re: RSA 2048 Encryption in Datapower

    ‏2013-06-27T10:18:51Z  
    • HermannSW
    • ‏2013-06-27T07:43:50Z

    What I know is that you should use encrypt action and not self-crafted stylesheet solutions based on DataPower crypto extension functions.
    Reason is that is really difficult to avaoid eg. oracle padding attacks, and the encrypt action already does all that for you.

    Also you should do standards based encryption. Your requirement of encryption several field "with RSA" is non-standard.

    Standards based encryption is done with symmetric encryption, only the symmetric encryption key gets RSA encrypted transferred to the other side.

    Find a wealth of information in redbook "IBM WebSphere DataPower SOA Appliances Part III: XML Security Guide":
    http://www.redbooks.ibm.com/abstracts/redp4365.html


    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>

    Thanks Hermann.

    Did you mean to say that, post rsa encryption on the fields, i should  wrap it over with symmetric encryption?

    Now that I have decided to go for encrypt action, i am just trying to find out the best practices/standards for the same.

     

    Thanks,

    Rajediva

  • inestlerode
    inestlerode
    166 Posts

    Re: RSA 2048 Encryption in Datapower

    ‏2013-06-27T18:47:38Z  

    If you want to use 2048-bit RSA then it is up to you to use a private key and certificate that are 2048-bit.  The algorithm names do not include the bit length, so there is no special configuration at the action level to say that you want to use 2048-bit RSA.  Just make a key and cert object that are 2048-bit RSA and then use this key/cert/idcred when configuring your encryption actions.

  • Rajediva
    Rajediva
    7 Posts

    Re: RSA 2048 Encryption in Datapower

    ‏2013-06-28T09:07:58Z  

    If you want to use 2048-bit RSA then it is up to you to use a private key and certificate that are 2048-bit.  The algorithm names do not include the bit length, so there is no special configuration at the action level to say that you want to use 2048-bit RSA.  Just make a key and cert object that are 2048-bit RSA and then use this key/cert/idcred when configuring your encryption actions.

    Yes. Thank you. I understand this now.

    Thanks a lot.