Menu Path: View>Certificate and Key Manager...

Toolbar: >Certificate and Key Manager

Read Access Rights:

  • Log in to Rhapsody IDE

Write Access Rights:

  • Make changes with IDE
  • Edit certificates and keys 
  • Generate signed private keys 
  • Export SSL private keys
  • Export SSH private keys
  • Export symmetric keys
  • Export RPG private keys

The Certificate and Key Manager provides a single location where the security certificates and keys, used to encrypt messages processed by the Rhapsody engine, can be managed:

You can perform the following tasks from the Certificate and Key Manager:

Changes to existing certificates or keys are not automatically be picked up by any communication points or filters that reference them. The communication points or filters need to be reconfigured and restarted in order for changes to take effect.

Understanding Cryptography

Cryptography is the art of scrambling the contents of a message so only the sender and the intended recipient may read it. Encrypting a message can also guarantee to the recipient that the message has come from the specified sender and that the message contents have not been altered during transit by a third party.

There are two means of encrypting a message, both fully supported by Rhapsody.

  • Symmetric Cryptography - uses an algorithm to combine a plain text message with a secure key to produce an unreadable (cipher text) output. The same key is used in the reverse process of decrypting the message.
  • Asymmetric Cryptography - uses two keys, a public key (used to encode the original message and which is made available to everyone) and a private key (used to decrypt the enciphered message and which must be kept secret). The two keys are related in that a user's public key can be derived easily from his or her private key but obtaining them the other way round is computationally impractical. When asymmetric cryptography is used, the message sender uses the recipient's public key to encrypt the message; after transmission, the recipient uses their private key to decrypt the message. Because only the recipient knows his or her private key, only the recipient can decrypt the message.

Asymmetric encryption is considered significantly more secure than symmetric key encryption because of the way the key used to unlock an encrypted message is distributed. Because symmetric key encryption uses the same key to lock and unlock, the key itself must be transmitted to the recipient. This is not the case with asymmetric (public) key encryption: the key used to unlock the message - the recipient's private key - is never transmitted.

Secure Keys

A secure key is a hexadecimal number combined with the message in order to make it unreadable. The key length determines the strength of the encryption and is typically 40, 56, or 128 bit. The longer the key, the more secure the password, with a 40-bit key being approximately equivalent to a five-character password. Each time one bit is added to the key length, the required computing power or the time to break a key using brute force (trying every combination until the correct one is found) is doubled.

With asymmetric cryptography, the public key is the product of two randomly selected large prime numbers. The private key is the two primes. This method is secure because of the great mathematical difficulty in finding two prime factors of a very large number. The only known method is to check all possibilities one by one, which isn't practical because they have such a large number of primes. A 128-bit public key, for example, is a number between 1 and 340 million million million million million million and has a number of prime factors approximately equal to 3.8 million million million million million million (=2^128 / ln( 2^128 )). Even with enough computing power to check one trillion of these numbers a second, it would take more than 121,617,874,031,562,000 years to check them all. That's about 10 million times longer than the universe has existed so far.

Algorithms

An algorithm defines the steps followed by the software as it produces the encrypted file. Most algorithms are block algorithms, which encrypt data in discrete units called blocks, rather than as a continuous stream of bits. Typically a block size is 64k or 128k. Common examples include DES (Data Encryption Standard), IDEA (International Data Encryption Algorithm), CAST, and Skipjack.

If identical plain text blocks are encrypted with the same key, the resulting cipher text blocks are the same, which could be useful information to an attacker. To ensure such blocks are encrypted to different cipher text blocks, a cipher block mode must be specified. Common modes available in Rhapsody include CBC (Cipher Block Coding) and OFB/CFB (Output/Cipher Feed Back).

When a message to be encrypted is divided into blocks, it is unlikely that the final block will be the correct size. Padding schemes define how the final block is 'padded out' to reach the required size; the default used by Rhapsody is PKCS7. This method consists of a sequence of bytes, each of which is equal to the total number of padding bytes added. For example, if 24 bits (3 bytes) of padding needs to be added, the padding string is: 03 03 03.