Transact encryption framework
The Ephesoft Transact encryption framework enables Transact to encrypt/decrypt the data persisted in XML files and index files during batch processing. This feature secures data from any unauthorized access.
In order to achieve encryption/decryption capabilities, Transact maintains encryption/decryption keys at the following levels:
-
Application Level Key
-
Batch Class Level Key
-
Batch Instance Level Key
-
Fuzzy Index
-
Lucene Index Key
-
Test KV Key
-
Test Classification Key
-
Test-Advance KV Key
-
Test-Table Key
Key features
The Transact encryption framework has the following key features.
-
Every application is identified by a unique Key.
-
All the data persisted in HOCR.xml, Batch.xml and index files is stored on disk in encrypted form to avoid any unauthorized access of critical data while processing.
-
All the learned samples and learned index files are re-generated whenever there is a change in the encryption algorithm.
-
Any change in Batch Class Key without changing the encryption algorithm does not affect the learned files and thus they are not regenerated in such a case.
-
Batch Class can be imported using the existing Keys as well as by generating the new key from UI.
-
Only authorized user is able to decrypt the encrypted Batch.xml file using web service API. An authorized user is one who belongs to the groups/roles assigned to the batch class on which batches are processed.
-
No Batch can be decrypted on an application other than the application on which it was processed.
-
Only a super admin can change the encryption key of a batch class.
Assumptions
-
Application Key should be generated before applying the encryption algorithm on a batch class.
-
The user needs to make a change in the Scripting plugin for the plugin execution.
Hashing algorithm
Keys are generated using Hashing algorithm on the data available for generating Keys.
|
Key length |
Hashing algorithm |
|---|---|
|
128 |
MD5 |
|
256 |
SHA-256 |
Encryption algorithm
The AES algorithm is the backbone of the Transact Encryption framework and it is used to encrypt and decrypt the data. Super admin has flexibility to choose the AES-128 or AES-256 bit algorithm. Transact employs the AES-256 cipher, which is an NSA Type 1 approved algorithm (suitable for classified national security information).
Application level key—The crux of encryption
The application level key concept is very similar to a digital signature or a digital certificate which uniquely identifies an application/entity/organization/individual. The application level key in Transact identifies an application belonging to a customer uniquely.
The Key (identity) provided for application key is used as a secure password for all the key stores generated throughout the process. The application level key is responsible for validating that the keys/keystores used throughout the application belong to a particular application. Keys/keystores belonging to a particular application will not work on any other unauthorized application.
This key is also responsible for authentication during the Batch XML decryption, which does not allow the Batch XML to decrypt outside the authorized application (unauthorized applications cannot decrypt Batch XML belonging to some other application).
Levels of secret keys
| Level | Location | Mechanism | Key length |
|---|---|---|---|
| Application | <Shared-Folders>/ephesoft-key-store-file/ephesoft.keystore | Can be generated only once from the UI. | 128 |
| Batch Class | <Batch-Class-folder>/ephesoft-key-store-file/ephesoft.keystore | Configurable from the UI. | 128/256 |
| Batch Instance | <ephesoft-system-folder>/<Batch-Instance-ID-Folder>/ephesoft-key-store-file/ephesoft.keystore | Generated dynamically using Application Level Key and Batch Class Key. | Length of Batch Class Key. |
| Fuzzy-DB Index | <Batch-Class-Folder>/<fuzzy-index-folder>/ephesoft-key-store-file/ephesoft.keystore | Generated dynamically using Application Level Key and Batch Class Key. | Length of Batch Class Key. |
| Lucene Key | <Batch-Class-Folder>/<lucene-search-classification-sample>/ephesoft-key-store-file/ephesoft.keystore | Generated dynamically using Application Level Key and Batch Class Key. | Length of Batch Class Key. |
| Test KV | <Batch-Class-Folder>/<test-KV-Folder >/ephesoft-key-store-file/ephesoft.keystore | Generated dynamically using Application Level Key and Batch Class Key. | Length of Batch Class Key. |
| Test Advance KV | <Batch-Class-Folder>/<test-Advance-KV-Folder>/ephesoft-key-store-file/ephesoft.keystore | Generated dynamically using Application Level Key and Batch Class Key. | Length of Batch Class Key. |
| Test Classification | <Batch-Class-Folder>/<test-Content-Classification-Folder>/ephesoft-key-store-file/ephesoft.keystore | Generated dynamically using Application Level Key and Batch Class Key. | Length of Batch Class Key. |
| Test Table | <Batch-Class-Folder>/<test-table >/ephesoft-key-store-file/ephesoft.keystore | Generated dynamically using Application Level Key and Batch Class Key. | Length of Batch Class Key. |
Error messages
| Example error messages | Probable cause |
|---|---|
| Key store file doesn't exist. | Any of key required for encryption/decryption does not exist. |
| Keys required for generating the dynamic key doesn't exist | Any of the application key/Batch Class Key required for generating the dynamic key does not exist. |
Backup and recovery
To recover the data in case the application key is lost, it is recommended that a user should store the application key file in a secure storage device. It is also recommended to secure the keystore file unique password (key_password) from the encryption_key_metdata table from the DB.