Encryption

Syndicate content 10 

Thanks for all replies in advance.  We have a security vulnerability that we have to get rid of.  We use Putty software to connect to cache as a terminal allowing several users to do maintenance work in cache.  this uses telnet Plain text.  I know that we can configure telnet to be encrypted using the super server service and I'm looking for software that can work like Putty as a terminal using encryption compatible with cache telnet encryption.   If I have cache installed on my PC and setup a connection to the server using Kerberos with encryption and use the terminal option to connect to the server will it be encrypted or will the terminal telnet session still be plain text.  

 

Last answer 2 May 2019 Last comment 6 May 2019
0   0 4
82

views

0

rating

Howdy, Developer Community!

 

Here’s a fun little formatting problem you may run into when trying to use the RSAEncrypt method of %SYSTEM.Encryption (also useable as $System.Encryption.RSAEncrypt()!), which is documented here:

https://docs.intersystems.com/latest/csp/documatic/%25CSP.Documatic.cls?...

Last comment 7 April 2019
+ 5   0 2
127

views

+ 5

rating

Hello,

Looking for some help on how I actually set the properties to enable tracing for %Net.SSH.Session ?

The doc is here:

https://docs.intersystems.com/latest/csp/documatic/%25CSP.Documatic.cls?...

The values look bitwise in their defaultness and I cant seem to figure out how to enable it in my object (or if I am going about this wrong altogether).  I am troubleshooting an elusive ssh error: unable to exchange encryption keys in a catch at the moment.

Would appreciate a clue if anybody has experience with it... thank you.

-Ron

Last answer 6 September 2018 Last comment 6 September 2018
0   0 2
84

views

0

rating

Hi,

I have a client who is considering encryption options in order to comply with a tendering requirement.

Were they to encrypt the production database then what would be a reasonable expectation forthe impact on message throughput. Or possibly more easily answered: what would be the expected impact be on I/O rate and CPU utilization. Are there any benchmarks to which could support an estimate ?

How would this compare with plan B: to use disk encryption ?

Thanks

Last comment 9 May 2018
0   0 5
0

answers

203

views

0

rating

Hello,

Sorry for my epic english :(

 

I have a strange issue.

I have generated an encryption key with the tool (UI.Portal.EncryptionCreate.zen).

Then  I activate my key for data encryption (UI.Portal.EncryptionManaged) and encryption work fine.

But when I reboot my server the key is removed from the data encryption key list (UI.Portal.EncryptionManaged) and I have to re-activate the key.

 

Perhaps somebody have an idee ?

Cache version : Cache for Windows (x86-64) 2016.2.2 (Build 853U)

Windows: Windows Server 2012 R2 Standard

 

Thanks

 

Sébastien

Last answer 10 November 2017 Last comment 10 November 2017
0   0 1
133

views

0

rating

A request came from a customer to estimate how long it would take to encrypt a database with cvencrypt utility.

This question is a little bit like how long is a piece of string — it depends. But its an interesting question. The answer primarily depends on the performance of CPU and storage on the target platform the customer is using, so the answer is more about coming up with a simple methodology that can be used to benchmark the CPU and storage while running cvencrypt.

Methodology

  1. Copy a large and representative CACHE.DAT file to target storage
  2. Create a keyfile via System Management Portal (includes a key)
  3. Run the cvencrypt over your sample CACHE.DAT file (as below)

The following shows the process once the test file is in place

+ 5   0 1
0

comments

340

views

+ 5

rating

Hello; We are managing several Ensemble instances on several servers.  One server has 4 instances, and two other servers have one instance each (those are production servers).  We encrypt all instances using the Caché encryption in the management portal.

 

Currently we are using two different encryption keys: 1 key on the server with 4 instances, which is used for all 4 instances, and a second key on single-instance server. ( I'm installing the newest production server now.)

 

What I'd like to know is what are the best practices for managing encryption keys for separate servers. 

The options are to use a single key, across the network, for all instances.  The pros for this are if we remove an encryption administrator username, the user is removed from all instances; just one key is maintained and backed up.  The con is that the key will reside across the network (I haven't dones this yet)

Last answer 6 November 2017
+ 1   0 1
0

comments

172

views

+ 1

rating

Hi, Community! 

Please find the Developer Community Video of the week on DC YouTube Channel:

System Sizing for Insanely Large Deployments

 

0   0 1
0

comments

118

views

0

rating

Trying to use AES encryption for a url.  I have a plain text string, a 16-byte key and a initialization vector.  I am trying to match a C# implementation that uses RijndaelManaged class with a  BlockSize = 128, Mode = CipherMode.CBC, Padding = PaddingMode.PKCS7.  The output of the $SYSTEM.Encryption.AESCBCEncrypt(text,key,IV), doesn't match what is coming out of C#.  All inputs into the $SYSTEM.Encryption.AESCBCEncrypt(text,key,IV) are converted to UTF8 as in the documentation.

I can encrypt / decrypt in Caché as specified in the documentation, but the string is differet from the C#, so the url fails.

Thanks in advance.

Last answer 28 August 2017 Last comment 14 August 2017
0   0 3
559

views

0

rating

Hi,

I have a situation where I write a character stream to a file. The file content gets signed and the signature is sent to a service provider together with the file content.

The signing is done using openssl.

This works perfectly on a dev PC, which is runnning Windows and has a little-endian architecture.

The problem is as soon as I do this on the server, which has a big-endian architecture, the signed value is incorrect according to the service provider.

The content is signed using RSA SHA256 with PSS padding.

I've had a look at $nconvert, $sconvert, etc., but can't get to a solution.

Is there a way to convert the 8-bit character stream to little-endian format on the big-endian server using Cache or some other command?

Last answer 17 July 2017 Last comment 18 July 2017
0   0 2
1160

views

0

rating

Hi everyone,

I have a project which requires the sending of JSON messages to an external service provider using REST. The service provider requires the message contents to be signed.

Their instructions:

  1. Add a header called "Date" with the the date and time in a specific format - done
  2. Add the client's certificate password in a field in the header - done
  3. Create a string which consist of the {Date}{newline}{Password}{newline}{etc}{Message Body}.
    1. Convert to a UTF8 byte array
    2. SHA256 sign the value with the certificate and private key and use RSA PSS padding
    3. Base 64 Encode the value and place it in a Signature field in the header.

I've done the following

Last answer 11 July 2017 Last comment 13 July 2017
0   0 1
4763

views

0

rating

Overview

Encryption of sensitive data becomes more and more important for applications. For example patient names, SSN, address-data or credit card-numbers etc..

Cache supports different flavors of encryption. Block-level database encryption and data-element encryption. The block-level database encryption protects an entire database.  The decryption/encryption is done when a block is written/read to or from the database and has very little impact on the performance.

With data-element encryption only certain data-fields are encrypted.  Fields that contain sensitive data like patient data or credit-card numbers. Data-element encryption is also useful if a re-encryption is required periodically. With data-element encryption it is the responsibility of the application to encrypt/decrypt the data.

Both encryption methods leverage the managed key encryption infrastructure of Caché.

The following article describes a sample use-case where data-element encryption is used to encrypt person data.  

But what if you have hundreds of thousands of records with an encrypted datafield and you have the need to search that field? Decryption of the field-values prior to the search is not an option. What about indices?

This article describes a possible solution and develops step-by-step a small example how you can use SQL and indices to search encrypted fields. 

Last comment 16 March 2017
+ 4   0 1
753

views

+ 4

rating

The recent announcement of a collision for the SHA-1 hash algorithm has caused some consternation:

https://shattered.io/

Here is some background to help put this in perspective.

Cryptographic hash functions can have a variety of properties.  The property at issue here is:

"Collision resistance - it is computationally infeasible to find any two distinct inputs x, x' which hash to the same output, i.e., such that h(x) = h(x')."

(Menezes, van Oorchot, and Vanstone, "Handbook of Applied Cryptography", section 9.2.2

+ 2   0 4
0

comments

202

views

+ 2

rating

I'm currently re-engineering an application from CSP pages directly accessing COS Methods, to an Angular/Material front end accessing a REST DAL.  Both the Angular front end and REST services are hosted from the same Caché instance and the same namespace, but the REST services have their own CSP application, with all calls being routed through a Dispatch class.  

I've come across an architecture issue recently, and am trying to assess the options I have.  At present, we encode a call to a class which takes in an OID and returns the Stream to the browser.  In the current application, this request is encoded using %CSP.Page.Encrypt, which performs the encryption and decryption of the string using the %session.Key.  This won't work for the new setup, since the REST service creates and destroys the session automatically, so the string can't be decrypted

My current thinking of my choices ar

Last answer 5 January 2017 Last comment 5 January 2017
0   0 2
259

views

0

rating