Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical

comment on

( #3333=superdoc: print w/replies, xml ) Need Help??
Dear encryption monks

A colleague and myself have written a collector tool (in perl of course!) that collects o/s data on customer systems. Another tool performs an analysis of this data, potentially directly by the customer. The output could however be sent to us for in-depth analysis and audit purposes.

I have been researching a method to enable the customer to encrypt the output files before they are sent to us, but I am not experienced in encryption and scared I might miss something important.

The output files are 15-30MB uncompressed, or 1-5MB compressed. Initially I thought it would make sense to provide my public RSA key to the code (via config file), and use that to encrypt the data. From what I read only using an asymmetric cipher would be very slow, but I then started reading about hybrid encryption techniques - which for my purposes would work something like this:

1. Collector tool generates a random new encryption key.
2. Output is encrypted using this key with a fast symmetric method i.e. Crypt::CBC(?).
3. The symmetric key from step 1 is encrypted with Crypt::RSA, using my public RSA key, which is at least 2048 bits.
4. The encrypted data and now secure symmetric key is transmitted by the customer, preferably by SFTP.
5. The symmetric key is decrypted by myself, the holder of the private RSA key.
6. Customer data can now be unencrypted using the symmetric key, which is now known.
7. Customer data is analysed.

Obviously, only the private RSA keyholder can unencrypt the output file, so by implication the automated analysis tool we provide cannot be used at the customer site once the output is encrypted. I now intend to provide a configurable option to allow a customer RSA key as well, so that the encryption can be used to switch to allow for local or remote analysis.

Also, do I need to encrypt and then compress, or compress and then encrypt?

Any monastry scrutiny would be appreciated!


In reply to Customer data encryption by 0xbeef

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?

What's my password?
Create A New User
Domain Nodelet?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others meditating upon the Monastery: (7)
As of 2022-12-01 18:07 GMT
Find Nodes?
    Voting Booth?