Encryption Key Management

OIDG was developed and tested using GnuPrivateGuard (GPG) with digital signature on request files to encrypt and decrypt. For more info on GnuPG please go here. From the GPG installation directory, the GPG command line interface is used to generate asymmetric key pairs. This will create a public key and a private key. Both the client and host companies will need an asymmetric key pair to safely share files with each other.

The key pair is used as follows:

  • The Public key is used for file encryption and verifying digital signature. As the name suggest, this key can be shared.
  • The Private key is used for file encryption, decryption and creating digital signature. This key should never be shared.

In order to do its own encryption, decryption, creation and validation of digital signature(s) when processing incoming and outgoing files, OIDG will need to be configured to know about the client’s public key(s) and the host’s public and private key(s). Please see the OIDG installation guide for details on how to configure the system to use asymmetric file encryption.

Client companies who will be sending and receiving files with an OIDG hosted system should encrypt or encrypt with sign their files before sending them and should expect to receive encrypted or encrypted with sign files from the host company. These are the guidelines a client company should follow:

  • The client company should generate their own asymmetric key pair using a tool like GPG.
  • The client will need to export their pubic key in public key file to be shared with the OIDG host company. The private key should not be shared.
  • The client will need to send the public key file to the OIDG host company. This can be done through email or upload to an FTP server made available by the host company.
  • The host company will need to import the client’s public key file into their GPG installation.
  • The key id for this public key will need to be entered into the OIDG configuration by the host company. The host company will have to configure their OIDG deployment to know about the client company. Part of this configuration is identifying the encryption and decryption key IDs to use when sending and receiving data from the client. The folder locations used to send and receive files for a specific client for a specific transaction type are generically called “endpoints”. The public key IDs will need to be entered on endpoint definitions that represent these folders. The key ID is captured on an endpoint property called ‘GPGUserKeyId'. This is described in the OIDG Portal User Guide.
  • The key ID is used by OIDG to look up the actual public encryption key from the public key file that was imported into the GPG installation.
  • OIDG will use the clients public encryption key to encrypt notification and error report files that will be sent back to the client.
  • The client company will need to use their private key to decrypt encrypted files it receives from OIDG and host company’s public key to validate digital signature.

A company hosting OIDG and expecting to send and receive files with OIDG should encrypt or encrypt with sign their files before sending them and should expect to receive encrypted or encrypted with sign files from the client company. These are the guidelines a host company should follow:

  • The host company should generate their own asymmetric key pair using a tool like GPG.
  • The host will need to export their pubic key in public key file to be shared with the OIDG client company. The private key should not be shared.
  • The host will need to send the public key file to the OIDG client company. This can be done through email or upload to an FTP server made available by the client company.
  • The client company will need to import the host company’s public key file into their GPG installation.
  • When the client company prepares a file to send to the host, the file need to be signed using client company’s private key and encrypted with the host company’s public encryption key.
  • Once the host company receives an encrypted file from the client, it will use client’s public key to validate signature and uses its private encryption key to decrypt the file.
  • During system deployment, OIDG needs to be configured to know about the host company. During this setup, a file transfer endpoint definition is created that captures a password called the GPG passphrase if the GPG digital signature is enabled. This passphrase is needed to retrieve the private key from the key file stored in the GPG installation.
  • When processing file requests, OIDG will look up the passphrase from its host company endpoint configuration and use it to retrieve the host company’s private encryption key from the GPG install. It will then use that private key to decrypt the request file which will then be sent on for further processing.
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Legal Notices.