Difference between revisions of "Document Encryption - Implementation Notes and Examples"
(Created page with "== Tooling == == Example files ==") |
|||
| Line 1: | Line 1: | ||
| + | == Introduction === | ||
| + | This page intends to support the implementation of the Document Encryption (DEN) profile by providing examples and information on tooling support. | ||
| + | |||
== Tooling == | == Tooling == | ||
| + | === CMS === | ||
| + | |||
| + | {| class="wikitable" | ||
| + | |- | ||
| + | ! Software | ||
| + | ! version | ||
| + | ! encryption (AES) | ||
| + | ! password | ||
| + | ! PKI | ||
| + | ! shared key | ||
| + | ! digest (SHA-256) | ||
| + | ! signature (RSA) | ||
| + | ! note | ||
| + | |- | ||
| + | | openssl | ||
| + | | 1.0.0-d | ||
| + | | + | ||
| + | | - | ||
| + | | + (note 1) | ||
| + | | + | ||
| + | | + | ||
| + | | + | ||
| + | | + | ||
| + | |- | ||
| + | | BouncyCastle | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |} | ||
| + | |||
| + | ==== Interoperability ==== | ||
| + | |||
| + | The following have been verified as being interoperable: | ||
| + | * OpenSSL with Bouncycastle. Tested features: PKI and password key management methods, AES encryption, signature | ||
| + | |||
| + | TBD: interoperability matrix | ||
| + | |||
| + | ==== Special cases === | ||
| + | TBD: special cases, e.g. multiple recipients | ||
| + | |||
| + | ==== OpenSSL example === | ||
| + | The following example demonstrates encryption of a file according to the CMS profile: | ||
| + | <blockquote> | ||
| + | openssl cms -binary -digest_create -md sha256 -in doc.mime -outform der -out doc.digested | ||
| + | |||
| + | openssl cms -encrypt -binary -econtent_type pkcs7-digestData -aes256 -in doc.digested -keyform pem -inkey privatekey.pem -outform der -out doc.digested.encrypted_cert certificate.pem | ||
| + | </blockquote> | ||
| + | notes: | ||
| + | *assumption: doc.mime contains mime-wrapped document | ||
| + | *proper handling of the econtent_type option requires a small patch | ||
| + | *example uses PKI key management method, AES-256 CBC encryption, SHA-256 digest | ||
| + | |||
| + | And decryption: | ||
| + | <blockquote> | ||
| + | openssl cms -decrypt -inform der -in doc.digested.encrypted_cert -keyform pem -inkey recipientprivk.pem -outform der -out doc.digested.encrypted_cert.decrypted | ||
| + | |||
| + | openssl cms -digest_verify -inform der -in doc.digested.encrypted_cert.decrypted -outform der -out doc.digested.encrypted_cert.decrypted.verified | ||
| + | </blockquote> | ||
| + | notes: | ||
| + | * doc.digested.encrypted_cert.decrypted.verified should equal doc.mime | ||
| + | |||
| + | A script demonstrating all key management methods (PKI, password, symmetric key), algorithms, signature, digest is available in the example files package. | ||
| + | |||
| + | == Document Encryption (DEN) == | ||
| + | |||
| + | === MIME === | ||
| + | Example MIME header for DEN: | ||
| + | <blockquote> | ||
| + | MIME-Version: 1.0<br> | ||
| + | Content-Type: application/octet-stream<br> | ||
| + | Content-Transfer-Encoding: binary<br> | ||
| + | Content-Disposition: attachment; filename=doc.bin | ||
| + | </blockquote> | ||
| + | |||
| + | == XDM Media Encryption option == | ||
| + | TBD: provide example on CMS encapsulation of ZIP-ed XDM media content (without MIME wrapper). | ||
| − | == Example files == | + | == Example files, scripts, patches == |
| + | A ZIP archive with example files and scripts demonstrating the application of CMS can be downloaded from the IHE FTP site: | ||
| + | << url >> | ||
Revision as of 05:59, 31 July 2011
Introduction =
This page intends to support the implementation of the Document Encryption (DEN) profile by providing examples and information on tooling support.
Tooling
CMS
| Software | version | encryption (AES) | password | PKI | shared key | digest (SHA-256) | signature (RSA) | note |
|---|---|---|---|---|---|---|---|---|
| openssl | 1.0.0-d | + | - | + (note 1) | + | + | + | + |
| BouncyCastle |
Interoperability
The following have been verified as being interoperable:
- OpenSSL with Bouncycastle. Tested features: PKI and password key management methods, AES encryption, signature
TBD: interoperability matrix
= Special cases
TBD: special cases, e.g. multiple recipients
= OpenSSL example
The following example demonstrates encryption of a file according to the CMS profile:
openssl cms -binary -digest_create -md sha256 -in doc.mime -outform der -out doc.digested
openssl cms -encrypt -binary -econtent_type pkcs7-digestData -aes256 -in doc.digested -keyform pem -inkey privatekey.pem -outform der -out doc.digested.encrypted_cert certificate.pem
notes:
- assumption: doc.mime contains mime-wrapped document
- proper handling of the econtent_type option requires a small patch
- example uses PKI key management method, AES-256 CBC encryption, SHA-256 digest
And decryption:
openssl cms -decrypt -inform der -in doc.digested.encrypted_cert -keyform pem -inkey recipientprivk.pem -outform der -out doc.digested.encrypted_cert.decrypted
openssl cms -digest_verify -inform der -in doc.digested.encrypted_cert.decrypted -outform der -out doc.digested.encrypted_cert.decrypted.verified
notes:
- doc.digested.encrypted_cert.decrypted.verified should equal doc.mime
A script demonstrating all key management methods (PKI, password, symmetric key), algorithms, signature, digest is available in the example files package.
Document Encryption (DEN)
MIME
Example MIME header for DEN:
MIME-Version: 1.0
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=doc.bin
XDM Media Encryption option
TBD: provide example on CMS encapsulation of ZIP-ed XDM media content (without MIME wrapper).
Example files, scripts, patches
A ZIP archive with example files and scripts demonstrating the application of CMS can be downloaded from the IHE FTP site: << url >>