Document Encryption - Implementation Notes and Examples: Difference between revisions
Created page with "== Tooling == == Example files ==" |
No edit summary |
||
| Line 1: | Line 1: | ||
== Introduction === | |||
This page intends to support the implementation of the Document Encryption (DEN) profile by providing examples and information on tooling support. | |||
== Tooling == | == Tooling == | ||
=== CMS === | |||
{| class="wikitable" | |||
|- | |||
! Software | |||
! version | |||
! encryption (AES) | |||
! password | |||
! PKI | |||
! shared key | |||
! digest (SHA-256) | |||
! signature (RSA) | |||
! note | |||
|- | |||
| openssl | |||
| 1.0.0-d | |||
| + | |||
| - | |||
| + (note 1) | |||
| + | |||
| + | |||
| + | |||
| + | |||
|- | |||
| BouncyCastle | |||
| | |||
| | |||
| | |||
| | |||
| | |||
| | |||
| | |||
| | |||
|} | |||
==== Interoperability ==== | |||
The following have been verified as being interoperable: | |||
* OpenSSL with Bouncycastle. Tested features: PKI and password key management methods, AES encryption, signature | |||
TBD: interoperability matrix | |||
==== Special cases === | |||
TBD: special cases, e.g. multiple recipients | |||
==== OpenSSL example === | |||
The following example demonstrates encryption of a file according to the CMS profile: | |||
<blockquote> | |||
openssl cms -binary -digest_create -md sha256 -in doc.mime -outform der -out doc.digested | |||
openssl cms -encrypt -binary -econtent_type pkcs7-digestData -aes256 -in doc.digested -keyform pem -inkey privatekey.pem -outform der -out doc.digested.encrypted_cert certificate.pem | |||
</blockquote> | |||
notes: | |||
*assumption: doc.mime contains mime-wrapped document | |||
*proper handling of the econtent_type option requires a small patch | |||
*example uses PKI key management method, AES-256 CBC encryption, SHA-256 digest | |||
And decryption: | |||
<blockquote> | |||
openssl cms -decrypt -inform der -in doc.digested.encrypted_cert -keyform pem -inkey recipientprivk.pem -outform der -out doc.digested.encrypted_cert.decrypted | |||
openssl cms -digest_verify -inform der -in doc.digested.encrypted_cert.decrypted -outform der -out doc.digested.encrypted_cert.decrypted.verified | |||
</blockquote> | |||
notes: | |||
* doc.digested.encrypted_cert.decrypted.verified should equal doc.mime | |||
A script demonstrating all key management methods (PKI, password, symmetric key), algorithms, signature, digest is available in the example files package. | |||
== Document Encryption (DEN) == | |||
=== MIME === | |||
Example MIME header for DEN: | |||
<blockquote> | |||
MIME-Version: 1.0<br> | |||
Content-Type: application/octet-stream<br> | |||
Content-Transfer-Encoding: binary<br> | |||
Content-Disposition: attachment; filename=doc.bin | |||
</blockquote> | |||
== XDM Media Encryption option == | |||
TBD: provide example on CMS encapsulation of ZIP-ed XDM media content (without MIME wrapper). | |||
== Example files == | == Example files, scripts, patches == | ||
A ZIP archive with example files and scripts demonstrating the application of CMS can be downloaded from the IHE FTP site: | |||
<< url >> | |||
Revision as of 05:59, 31 July 2011
Introduction =
This page intends to support the implementation of the Document Encryption (DEN) profile by providing examples and information on tooling support.
Tooling
CMS
| Software | version | encryption (AES) | password | PKI | shared key | digest (SHA-256) | signature (RSA) | note |
|---|---|---|---|---|---|---|---|---|
| openssl | 1.0.0-d | + | - | + (note 1) | + | + | + | + |
| BouncyCastle |
Interoperability
The following have been verified as being interoperable:
- OpenSSL with Bouncycastle. Tested features: PKI and password key management methods, AES encryption, signature
TBD: interoperability matrix
= Special cases
TBD: special cases, e.g. multiple recipients
= OpenSSL example
The following example demonstrates encryption of a file according to the CMS profile:
openssl cms -binary -digest_create -md sha256 -in doc.mime -outform der -out doc.digested
openssl cms -encrypt -binary -econtent_type pkcs7-digestData -aes256 -in doc.digested -keyform pem -inkey privatekey.pem -outform der -out doc.digested.encrypted_cert certificate.pem
notes:
- assumption: doc.mime contains mime-wrapped document
- proper handling of the econtent_type option requires a small patch
- example uses PKI key management method, AES-256 CBC encryption, SHA-256 digest
And decryption:
openssl cms -decrypt -inform der -in doc.digested.encrypted_cert -keyform pem -inkey recipientprivk.pem -outform der -out doc.digested.encrypted_cert.decrypted
openssl cms -digest_verify -inform der -in doc.digested.encrypted_cert.decrypted -outform der -out doc.digested.encrypted_cert.decrypted.verified
notes:
- doc.digested.encrypted_cert.decrypted.verified should equal doc.mime
A script demonstrating all key management methods (PKI, password, symmetric key), algorithms, signature, digest is available in the example files package.
Document Encryption (DEN)
MIME
Example MIME header for DEN:
MIME-Version: 1.0
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=doc.bin
XDM Media Encryption option
TBD: provide example on CMS encapsulation of ZIP-ed XDM media content (without MIME wrapper).
Example files, scripts, patches
A ZIP archive with example files and scripts demonstrating the application of CMS can be downloaded from the IHE FTP site: << url >>