This article explains how to encrypt and decrypt documents using TrustedX.
The majority of security professionals are already familiar with the concepts of symmetric encryption and PKI, which, have been adopted by the more commonly used protocols for guaranteeing confidentiality on the Internet. SSL/TLS or IPSec are used for data encryption on the Internet. In the case of applications, the PKCS#7/CMS and XML-Enc standards are used for protecting documents, while S/MIME and WS-Security are used for messaging protection.
PKI usage enables global encryption for a group of people; however, it does entail managing the asymmetric keys and the digital certificates. PKI uses digital certificates to obtain the public key with which a symmetric encryption key will be encrypted. In this way, each recipient can access the encryption key and decrypt the data using a private key. The first step in the procedure is to assess the validity and trustworthiness of the digital certificates, in order to determine which recipients may access the data.
The digital certificates are renewed over time, or they may even change issuer. User privileges also change over time. This, therefore, requires an asymmetric key management and custody system, when the purpose of the data encryption is its archiving. This how to does not deal with the long-term management of encryption keys in TrustedX.
Document encryption and decryption using TrustedX
Where the application is concerned, implementing the data encryption or decryption process using TrustedX will consist in consuming a TrustedX service.
The application must send the document or documents, which are to be encrypted, to TrustedX, indicating the desired encryption format and indicating who will have access to the document. TrustedX will then have the responsibility of collecting the appropriate certificates, validating them and using them to encrypt the data.
In terms of data decryption, one of the advantages of TrustedX is that the applications are completely removed from key decryption and from certificate management. Furthermore, TrustedX provides a secure and easy-to-audit environment in which to retain the application's private keys. All management tasks (requests, revocation and key renewal) are automated and are transparent to the applications.
Encryption policy management is also delegated to TrustedX, thereby making for a centralized management system. The use of policies makes it possible to establish certain parameters, depending on the classification level of the data, in a way that is transparent to the applications. Examples are: determining which encryption algorithms are admitted, how and when recipient certificates are to be selected and exactly how the certificates are to be verified before the cyphering is performed.
The TrustedX encryption services can be used as SOAP/WS, REST/WS, or via the TrustedX Java API.
Next, you will see an example of a document encryption request, where the data to be signed are included in the <css:EncryptRequest> element. In this case, the list of recipients is provided by its DN:
<SOAP-ENV:Envelope Attributes> <SOAP-ENV:Header> ... </SOAP-ENV:Header> <SOAP-ENV:Body Attributes> <css: EncryptRequest Profile="urn:safelayer:tws:de:1.0:profiles:cmspkcs7enc:1.0:encrypt" Attributes> ... <dss:OptionalInputs> ... <css:Recipients> <css:Recipient> <css:KeySelector> <css:Name Attributes>CN=Homer Simpson, O=Safelayer, C=Es</css:Name> </css:KeySelector> </css:Recipient> </css:Recipients> </dss:OptionalInputs> <dss:InputDocuments>…</dss:InputDocuments> </css: EncryptRequest > </SOAP-ENV:Body> </SOAP-ENV:Envelope>