Difference between revisions of "Document Encryption - Implementation Notes and Examples"
(Created page with "== Tooling == == Example files ==") |
|||
Line 1: | Line 1: | ||
+ | == Introduction === | ||
+ | This page intends to support the implementation of the Document Encryption (DEN) profile by providing examples and information on tooling support. | ||
+ | |||
== Tooling == | == Tooling == | ||
+ | === CMS === | ||
+ | |||
+ | {| class="wikitable" | ||
+ | |- | ||
+ | ! Software | ||
+ | ! version | ||
+ | ! encryption (AES) | ||
+ | ! password | ||
+ | ! PKI | ||
+ | ! shared key | ||
+ | ! digest (SHA-256) | ||
+ | ! signature (RSA) | ||
+ | ! note | ||
+ | |- | ||
+ | | openssl | ||
+ | | 1.0.0-d | ||
+ | | + | ||
+ | | - | ||
+ | | + (note 1) | ||
+ | | + | ||
+ | | + | ||
+ | | + | ||
+ | | + | ||
+ | |- | ||
+ | | BouncyCastle | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | |} | ||
+ | |||
+ | ==== Interoperability ==== | ||
+ | |||
+ | The following have been verified as being interoperable: | ||
+ | * OpenSSL with Bouncycastle. Tested features: PKI and password key management methods, AES encryption, signature | ||
+ | |||
+ | TBD: interoperability matrix | ||
+ | |||
+ | ==== Special cases === | ||
+ | TBD: special cases, e.g. multiple recipients | ||
+ | |||
+ | ==== OpenSSL example === | ||
+ | The following example demonstrates encryption of a file according to the CMS profile: | ||
+ | <blockquote> | ||
+ | openssl cms -binary -digest_create -md sha256 -in doc.mime -outform der -out doc.digested | ||
+ | |||
+ | openssl cms -encrypt -binary -econtent_type pkcs7-digestData -aes256 -in doc.digested -keyform pem -inkey privatekey.pem -outform der -out doc.digested.encrypted_cert certificate.pem | ||
+ | </blockquote> | ||
+ | notes: | ||
+ | *assumption: doc.mime contains mime-wrapped document | ||
+ | *proper handling of the econtent_type option requires a small patch | ||
+ | *example uses PKI key management method, AES-256 CBC encryption, SHA-256 digest | ||
+ | |||
+ | And decryption: | ||
+ | <blockquote> | ||
+ | openssl cms -decrypt -inform der -in doc.digested.encrypted_cert -keyform pem -inkey recipientprivk.pem -outform der -out doc.digested.encrypted_cert.decrypted | ||
+ | |||
+ | openssl cms -digest_verify -inform der -in doc.digested.encrypted_cert.decrypted -outform der -out doc.digested.encrypted_cert.decrypted.verified | ||
+ | </blockquote> | ||
+ | notes: | ||
+ | * doc.digested.encrypted_cert.decrypted.verified should equal doc.mime | ||
+ | |||
+ | A script demonstrating all key management methods (PKI, password, symmetric key), algorithms, signature, digest is available in the example files package. | ||
+ | |||
+ | == Document Encryption (DEN) == | ||
+ | |||
+ | === MIME === | ||
+ | Example MIME header for DEN: | ||
+ | <blockquote> | ||
+ | MIME-Version: 1.0<br> | ||
+ | Content-Type: application/octet-stream<br> | ||
+ | Content-Transfer-Encoding: binary<br> | ||
+ | Content-Disposition: attachment; filename=doc.bin | ||
+ | </blockquote> | ||
+ | |||
+ | == XDM Media Encryption option == | ||
+ | TBD: provide example on CMS encapsulation of ZIP-ed XDM media content (without MIME wrapper). | ||
− | == Example files == | + | == Example files, scripts, patches == |
+ | A ZIP archive with example files and scripts demonstrating the application of CMS can be downloaded from the IHE FTP site: | ||
+ | << url >> |
Revision as of 05:59, 31 July 2011
Introduction =
This page intends to support the implementation of the Document Encryption (DEN) profile by providing examples and information on tooling support.
Tooling
CMS
Software | version | encryption (AES) | password | PKI | shared key | digest (SHA-256) | signature (RSA) | note |
---|---|---|---|---|---|---|---|---|
openssl | 1.0.0-d | + | - | + (note 1) | + | + | + | + |
BouncyCastle |
Interoperability
The following have been verified as being interoperable:
- OpenSSL with Bouncycastle. Tested features: PKI and password key management methods, AES encryption, signature
TBD: interoperability matrix
= Special cases
TBD: special cases, e.g. multiple recipients
= OpenSSL example
The following example demonstrates encryption of a file according to the CMS profile:
openssl cms -binary -digest_create -md sha256 -in doc.mime -outform der -out doc.digested
openssl cms -encrypt -binary -econtent_type pkcs7-digestData -aes256 -in doc.digested -keyform pem -inkey privatekey.pem -outform der -out doc.digested.encrypted_cert certificate.pem
notes:
- assumption: doc.mime contains mime-wrapped document
- proper handling of the econtent_type option requires a small patch
- example uses PKI key management method, AES-256 CBC encryption, SHA-256 digest
And decryption:
openssl cms -decrypt -inform der -in doc.digested.encrypted_cert -keyform pem -inkey recipientprivk.pem -outform der -out doc.digested.encrypted_cert.decrypted
openssl cms -digest_verify -inform der -in doc.digested.encrypted_cert.decrypted -outform der -out doc.digested.encrypted_cert.decrypted.verified
notes:
- doc.digested.encrypted_cert.decrypted.verified should equal doc.mime
A script demonstrating all key management methods (PKI, password, symmetric key), algorithms, signature, digest is available in the example files package.
Document Encryption (DEN)
MIME
Example MIME header for DEN:
MIME-Version: 1.0
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=doc.bin
XDM Media Encryption option
TBD: provide example on CMS encapsulation of ZIP-ed XDM media content (without MIME wrapper).
Example files, scripts, patches
A ZIP archive with example files and scripts demonstrating the application of CMS can be downloaded from the IHE FTP site: << url >>