Topic
7 replies Latest Post - ‏2013-09-16T14:47:04Z by JoeMorganNTST
thotranh
thotranh
66 Posts
ACCEPTED ANSWER

Pinned topic securely transfer data from DATAPOWER

‏2013-09-04T19:00:48Z |

I am fairly new to the DATAPOWER .  I have a question, which could be a common problem.

I have a Multi Gateway protocol to proxy incoming requests to a back-end service. 

HTTPS request -> MTGW --> Backend HTTPS.

when the MTGW  intercepts the incoming requests, before it proxies that request to back-end, it needs to send along an additional piece of information , say, a password (that MTGW gets from a remote LDAP , for example). This password is clear-text.    I need to figure out a way to securely send this password ENCRYPTED to a back-end service and have this service know how to decrypt to get the clear-text password sent from the Datapower.

What would be the common ways to implement this ?

PLEASE ADVISE. 

(The back-end app server is kerberized with a keytab. I wonder if the DP can make use of this keytab to securely send this password)

  • JoeMorganNTST
    JoeMorganNTST
    257 Posts
    ACCEPTED ANSWER

    Re: securely transfer data from DATAPOWER

    ‏2013-09-04T19:38:21Z  in response to thotranh

    Why isn't the Backend HTTPS good enough for that?

    Otherwise, you can setup the User Agent of the XML Manager of the MPG to send a Basic-Auth login.

     

    • thotranh
      thotranh
      66 Posts
      ACCEPTED ANSWER

      Re: securely transfer data from DATAPOWER

      ‏2013-09-04T19:56:54Z  in response to JoeMorganNTST

      Sorry, password may be a bad example.  I did not mean for the DP to send the username/password to the backend to be authenticated.

      I just meant, how the DP should send some piece of data being encrypted and have it decrypted by a back-end service .

      Say, back-end service has a method

      public void getInformation (String data 1, String data 2, String password)  {}    in which "password" has nothing to do with user authentication.

      It's just another piece of information that "getInformation()" needs , but that "password" needs to be sent in in an encrypted fashion .

      I hope this makes sense...

       

      Thanks

      • JoeMorganNTST
        JoeMorganNTST
        257 Posts
        ACCEPTED ANSWER

        Re: securely transfer data from DATAPOWER

        ‏2013-09-04T21:20:09Z  in response to thotranh

        There may be many ways, depending upon the type of payload.   That is, if it is SOAP or XML, you could simply transform the message adding the password into it somewhere (hope validation will succeed), and then encrypt just that section.  If JSON, you could do that similarly, but, I'd then defer to something else, like a shared secret key.

        With all that said, if the entire payload to the back end is encrypted via SSL, you could send the password in the headers, in the payload, or even in the URL.

         

         

        • thotranh
          thotranh
          66 Posts
          ACCEPTED ANSWER

          Re: securely transfer data from DATAPOWER

          ‏2013-09-05T21:24:17Z  in response to JoeMorganNTST

          Hi,

          Thank you very much for your response.   The back-end service is a servlet (which is almost like a Restful service)

          SSL is not acceptable by the architect. So that option is out.

          Could you please shed some lights / provide more details on the "shared secret key" solution ?

          My understand is that we'd use the Datapower to generate a static private key ahead of time , store that key in the Datapower , and send it to the back-end service whenever it needs to decrypt the protected information in the payload (which was encrypted with the same key) ?

          Please advise.

          Chinh

          • JoeMorganNTST
            JoeMorganNTST
            257 Posts
            ACCEPTED ANSWER

            Re: securely transfer data from DATAPOWER

            ‏2013-09-05T21:32:30Z  in response to thotranh

            If SSL isn't acceptable by the architect, then sending the key with the request won't help either, since that key is only protected in transit with the payload. 

            You can used a shared secret key by generating a key with a keygen tool, something that should work in DataPower.  I've used AES keys for my cases where I encrypt in-flight data but that data is also decrypted in DataPower.

            In any case, you can use the encrypt action on the password only.

            You'll have to send the key to the client is some other secure way, and they *may* can use that key to decrypt the password.

             

            • thotranh
              thotranh
              66 Posts
              ACCEPTED ANSWER

              Re: securely transfer data from DATAPOWER

              ‏2013-09-06T13:36:26Z  in response to JoeMorganNTST

              So, if I perform the following steps :

              1/ generate an AES 256 key using Crypto Tool in the DP (eg. mykey.key)

              2/ give the key to the back-end service , which means it'll be installed / accessible by the back-end REST service .

              3/ use mykey.key to encrypt the protected data for the payload before sending it to the REST service

              4/ in the back-end, Java should be able to use that same key (mykey.key) to decrypt the information in the payload.

              It's a static solution. Does it sound a viable (though simple) solution ? Is there any security risk?

              Thank you very much