Overview
Document encryption in Mosel
Encryption and decryption of documents are achieved by cipher algorithms. Ciphers can be of two kinds: symmetric ciphers use the same encryption key to perform the encryption and decryption tasks while asymmetric ciphers require one key to execute the encryption and another one for the decryption. In mmssl, symmetric ciphers are made available through the crypt I/O driver (Section Driver crypt): the encryption key (the size of which depends on the cipher) is automatically generated based on some given passphrase (either input from an external file or directly in the file name specification). The implementation of the crypt driver allows the user to select which specific cipher algorithm it should use (for instance AES, DES or IDEA).
For asymmetric encryption, mmssl relies on the RSA cryptographic system. For the RSA algorithm, a key (RSAgenkey) consists of two components: a public part that is usually distributed to the individuals with whom documents are to be exchanged and a private part that must be kept secret by the owner of the key (this private key also includes the public key). In this framework, a document encrypted using a public key (RSApubencrypt) can only be decrypted with the corresponding private key (RSAprivdecrypt). Moreover, the key pair can also be used for signing documents: the electronic signature of a document is created with a private key (msgsign) and the corresponding public key is used to verify this signature (msgverify). Since only the owner of the private key can create the signature, the recipient has a guarantee on the origin of the document.
RSA keys are commonly stored as text files in the OpenSSL PEM standard format, this is also the most convenient representation for exchanging key information (RSAsavekey). In addition to this file format, mmssl can store a key in the form of a Mosel array of integers (RSAloadkey). By using this encoding a model may embbed keys or retrieve them from any of the usual model data sources.
The mmssl command
The module mmssl is distributed together with a command line tool of the same name as the module: mmssl. This program helps setting up an initial working environment and performs basic key and certificate operations directly from a shell (Unix) or command window (Windows). Running the mmssl program without any arguments will display a short help message, otherwise the following commands can be used:
- setup
- Check the configuration directory of mmssl and create it if necessary (see parameter ssl_dir)
- genkey keyfile [size]
- Generate a new RSA key pair of the specified size (default: 1024) and save it into keyfile.
- getpub keyfile keyfilepub
- Extract the public key of the private RSA key file keyfile and save it into keyfilepub
- chkkey keyfile [keyfile...]
- Check the validity of the provided key file(s)
- gencert certfile [prod=value...]
- Generate an X509 certificate using the provided properties (see x509newcrt for further detail)
- chkcert certfile [keyfile]
- Check the validity of the provided X509 certificate. If an additional private key file is provided, its compatibility with the certificate is also checked.
- list [digest|cipher]
- Display the list of supported message digests ( digest) or cipher algorithms ( cipher). Both lists are reported with the short form of the command.
Many procedures of the mmssl module require the availability of a configuration directory. To create and populate an initial setup it is recommended to run the following command before starting to use the module:
> mmssl setup
Note that the setup procedure is not destructive: if the configuration directory has already been created the command will only check its validity, add any missing components and suggest how to proceed in case of incorrect settings.