EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Getting started with Encryption Decryption

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#31976
Posted: 01/22/2015 05:48:32
by Jaap van Popta (Basic support level)
Joined: 01/22/2015
Posts: 13

Hi,

I am currently involved a a project where I need to receive and Signed (RSA) Decrypted (3DES) messages so I need to verify and decrypt received messages and I need to sign and encrypt messages before send.

I cannot get this to work using the standard BizTalk stuff, so I thought I have a look at BizCrypto.


But the problem is that I can't find a lot of documentation on this.
I would prefer to use the certificates from the Windows certificate store.

Can you please supply me with a (link to a) description how to get started:
which Pipeline to use (for receiving PKISigReceive?) and how to configure it.

Many Thanks
#31977
Posted: 01/22/2015 06:28:21
by Ken Ivanov (EldoS Corp.)

Hi Jaap,

Thank you for contacting us.

Before we continue, could you please clarify which standard the encrypted and signed messages are supposed to be compliant to? There is a number of different standards, and PKISigReceive only works with PKCS#7 signatures. So it is vital to confirm that incoming and outgoing messages are/are supposed to be PKCS#7 compatible before we advise you on the way the pipelines should be used.

Ken
#31988
Posted: 01/23/2015 04:42:56
by Jaap van Popta (Basic support level)
Joined: 01/22/2015
Posts: 13

Hi Ken,

Thanks for youre reply, attached you find a snippet of the documentation regarding the standards to be used.

After some further investigation it looks to me that I should use the SMIME receive Pipeline, but still not sure.

Thanks, Jaap


#31989
Posted: 01/23/2015 05:01:23
by Jaap van Popta (Basic support level)
Joined: 01/22/2015
Posts: 13

Hmm, looks like the attachment is not working, in text:

Digital signature and encryption algorithm used for session key
Alg: RSA
Standard: PKCS#1; RFC3447
Supported versions: v1.2 and

Hash algorithm
Alg: SHA1
Standard: RFC3174
Supported versions: n/a

Encryption algorithm used for data
Alg: 3DES EDE3 CBC
Standard: n/a
Supported versions: n/a

Format secure data
Alg: CMS
Standard: RFC3852
Supported versions:RFC3852

Code secure
Alg: DER
Standard: X.690
Supported versions: n/a
#31990
Posted: 01/23/2015 05:16:52
by Ken Ivanov (EldoS Corp.)

Hi Jaap,

Thank you for the details. According to the standards suggested, PKI pipelines are the ones that are applicable to your environment.

The next step would be to find out the order of operations - i.e. should the data first be encrypted then signed or the other way round (signed then encrypted). That will advise on the order to be applied to the pipeline components (you will need two pipelines in a row for both protection and unprotection directions, one for dealing with encrypted messages and the other for dealing with enveloped/enveloping signed ones).

Ken
#31991
Posted: 01/23/2015 05:26:16
by Jaap van Popta (Basic support level)
Joined: 01/22/2015
Posts: 13

Hi Ken,

The order of the operations is described by the documentation in detail. See below.
Ik looks like first signed and then encrypt.


1 Generate a hash of the Data file
Encryption: SHA1
Result: Hash at the moment of sending

2 Encrypt hash by Private key of customer
Encryption: RSA Encryption
Result: Digital signature

3 Data and signature are included in an envelope (“Signed Data”), ready to be encrypted according to CMS standard
Encryption: -
Result: Signed Data

4 Generate a 128 bit data encryption key (session key)
Encryption: -
Result: The unwrapped session key

5 Encrypt unwrapped session key with public key of ING
Encryption: RSA Encryption
Result: The wrapped session key

6 Encrypt Data file with unwrapped session key
Encryption: 3DES EDE CBC
Result: Encrypted Signed Data

7 Create Enveloped Data according to CMS standard
Encryption: -
Result: Enveloped Data

8 Encode file using encoding algorithm DER (Distinguished Encoding Rules)
Encryption: DER
Result: DER Encoded CMS file
#31992
Posted: 01/23/2015 06:41:33
by Jaap van Popta (Basic support level)
Joined: 01/22/2015
Posts: 13

Hi ken,

I also have another question:
I installed BizCryptio on a BT2013 R2 environment, but it looks like the pipelinecomponents are not valid.
I cannot select them in the toolbox and when I run a default Pipeline, I get the following error:

There was a failure executing the receive pipeline: "BizCrypto.BizTalk.DefaultPipelines.SMIMEReceive, BizCrypto.BizTalk.DefaultPipelines, Version=11.0.255.0, Culture=neutral, PublicKeyToken=cca2e44e2b320358" Source: "Unknown " Receive Port: "RP_BC_Decrypt" URI: "C:\BizTalk\BizCrypto\Decrypt\In\*" Reason: The pipeline component BizCrypto.BizTalk.Pipelines.SMIME.Unprotect,BizCrypto.BizTalk.Pipelines.SMIME, Version=11.0.255.0, Culture=neutral, PublicKeyToken=cca2e44e2b320358 can not be found. If the component name is fully qualified, this error may occur because the pipeline component can not be found in the assembly.
#31994
Posted: 01/23/2015 15:50:39
by Ken Ivanov (EldoS Corp.)

Hi Jaap,

Quote
The order of the operations is described by the documentation in detail. See below. Ik looks like first signed and then encrypt.

Yes, that's right. Then the order of pipelines on the protection stage should be as following:
- PKI signer,
- PKI encryptor.

On the decryption stage, the pipelines will go in the reverse order:
- PKI decryptor,
- PKI verifier.

Now, on the protection stage you would normally set the following properties:

1. PKI signer:
- SignatureType: PublicKey (0),
- SignatureOperationType: Sign (0),
- Detached: False,
- HashAlgorithm: SHA1 (2),
- SigningCerts: a path to the signing certificates file (PFX or PEM format assumed),
- SigningCertsPassword: a password for the certificates file,
- SigningCertsSource: File (0),
- IncludeCerts: True,
- InsertMessageDigests: True,
- InsertSigningTime: True,
- LicenseKey: BizCrypto license key (evaluation or full).

2. PKI encryptor:
- EncryptionType: PublicKey (0),
- RecipientCerts: a path to the recipient's certificate file (no private key required; DER or PEM format assumed),
- RecipientCertsPassword: normally you would not need that, as recipients' certificates are rarely encrypted,
- RecipientCertsSource: File (0),
- EncryptionAlgorithm: TripleDES (2),
- LicenseKey: BizCrypto license key.

Quote
I installed BizCryptio on a BT2013 R2 environment, but it looks like the pipelinecomponents are not valid.

Hmm, looks like an installation issue. Please re-check that the pipeline assemblies have been installed to the GAC (C:\Windows\Microsoft.NET\assembly\GAC_MSIL, look for BizCrypto.BizTalk.Pipelines.* directories) and to BizTalk pipeline directory (%BTSDIR%\Pipeline Components).

Ken
#32003
Posted: 01/26/2015 02:07:45
by Jaap van Popta (Basic support level)
Joined: 01/22/2015
Posts: 13

Hi Ken,

Thanks for you help. I will try the way you stated, that is when the installation is working ;-).

The Dll's are in the locations you asked.
But It looks like there is something wrong with the dll's when I try to select one in the Toolbox it says: "You have selected an invalid Pipeline Component Assebbly....

Will try it on a BizTalk Server 2013 (not R2) machine i have.
maybe you have a previous version to check if that one does work...

Jaap
#32004
Posted: 01/26/2015 02:28:16
by Jaap van Popta (Basic support level)
Joined: 01/22/2015
Posts: 13

Tried the other machine and also fails there, tried to receive a message through a pipeline and get the same error:

The pipeline component BizCrypto.BizTalk.Pipelines.PKI.Verify,BizCrypto.BizTalk.Pipelines.PKI, Version=11.0.255.0, Culture=neutral, PublicKeyToken=cca2e44e2b320358 can not be found. If the component name is fully qualified, this error may occur because the pipeline component can not be found in the assembly.
Also by EldoS: SecureBlackbox
200+ components and classes for digital security, signing, encryption and secure networking.

Reply

Statistics

Topic viewed 8602 times

Number of guests: 2, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!