Encryption Properties

From DOC

A chain of encryption algorithms are used to protect a document. This article starts with a description of the secret key used to protect a document which must itself be protected and ends with the user password which is only know to the user and never stored.

The properties that are used to control these encryption steps are listed along with their default values.

Contents 1 Document Signatures 2 Document Encryption and Decryption 3 DocumentSecretKey Protection 4 AccountPrivateKey Protection 5 AccountSecretKey Protection 6 UserPrivateKey Protection

Document Signatures

Document signatures are based on hashing algorithms, which are protected using an asymmetric encryption algorithm.

tolven.security.doc.signatureAlgorithm=SHA1withRSA

Document Encryption and Decryption

Documents are encrypted and decrypted using a DocumentSecretKey based on a symmetric key algorithm.

The following algorithms are used to encrypt and decrypt documents, and to sign them. The kbe in the properties below stands for key-based encryption as opposed to pbe or password-based encryption, because the DocumentSecretKey is protected by a PrivateKey

tolven.security.doc.kbeKeyAlgorithm=DESede
tolven.security.doc.kbeKeyLength=112

DocumentSecretKey Protection

The DocumentSecretKey, which encrypts a document, needs to itself be protected. This is done by encrypting the DocumentSecretKey with an AccountPublicKey, which is based on an asymmetric encryption algorithm. The AccountPublicKey is associated with an account, and thus all documents in that account are indirectly protected by it. In order to decrypt a document, users require the corresponding AccountPrivateKey, to gain access to the DocumentSecretKey. Note that, in this case, it is the DocumentSecretKey which is used for bulk encryption, while the AccountPublicKey is used to protect it.

tolven.security.account.privateKeyAlgorithm=RSA
tolven.security.account.keyLength=1024

AccountPrivateKey Protection

Users in an account need access to the AccountPrivateKey in order to be able to decrypt documents in the account. Since users can belong to many accounts, they have access to many AccountPrivateKeys, each associated with an AccountUser. An AccountSecretKey is used to encrypt the AccountPrivateKey and thus protect it. The following algorithms are used in Tolven by default.

tolven.security.accountUser.kbeKeyAlgorithm=DESede
tolven.security.accountUser.kbeKeyLength=112

AccountSecretKey Protection

A user can only be given access to an AccountSecretKey, if they have a means to protect it. The UserPublicKey is used to encrypt the AccountSecretKey, and the following properties determine the algorithm and key length used. Note that, in this case, it is the AccountSecretKey which is used for bulk encryption, while the UserPublicKey is used to protect it.

tolven.security.user.privateKeyAlgorithm=RSA
tolven.security.user.privateKeyLength=1024

UserPrivateKey Protection

Users have a UserPrivateKey, which is used to protect their copy of AccountPrivateKeys. It can also be used for personalized encryption, as well as signing documents. The UserPrivateKey is protected using Password-Based Encryption (PBE), a SecretKey, which is associated with the user's password. The following properties are used to protect the UserPrivateKey.

tolven.security.user.pbeKeyAlgorithm=PBEWithMD5AndDES
tolven.security.user.passwordSaltLength=8
tolven.security.user.passwordIterationCount=20