This document may not be reproduced in whole or in part without the written permission of GRAPH-TECH-USA, LLC (GTUS). GTUS reserves the right to make changes and improvements which may not be reflected in this documentation. While reasonable efforts have been taken in the preparation of this document to assure its accuracy, GTUS assumes no liability resulting from any errors in or omissions from this documentation or from the use of the information contained herein.
V1: Markus Portmann, November 29, 2011
AM121-Protected Server Encryption
One of the most important requirements in a secure environment is that no data file goes out without being encrypted. In order to achieve that, the following procedure has been agreed upon in conjunction with the GT controller:
1) There is a secure server room which can only be accessed by 2 people at the same time.
2) The secure server will be connected to a device capable of reading a unique hardware key. This device is also in the secure room.
3) In the secure server, a software program called a protected server (pserver) will handle:
a. The communication to the secure hardware key which determines the 3DES keys.
b. The communication to a client program that will encrypt data record by record (encryptor)
c. The communication to a GT controller that will request the encrypted decryption key
Clients can communicate through tcp/ip sockets with pserver. Pserver shall start automatically when server PC is switched on. The IP number or PC name is variable, the port number is 10051.
Please check encryptor.c example to write your own client application. Or try encryptor.exe on a DOS console in the controller. Type “encryptor –trace 0” and populate the data file.
As in all GT programs, you can add a trace in D:\editorGT\user\system\arguments.txt to see what is happening.
diskread –trace 0
Before you start the GT application, start CECO or a DOS console in D:\EditorGT\runtime\binary\release\central_controller.
The communication between 2 PCs is in tcp/ip packets consisting of:
The packet_length is the total length of what follows, worst case it is 4 bytes id, 4 bytes flag, 4 bytes len, 1001 bytes buffer = 1013 bytes. But you can also say cap the buffer to what is actually needed to send less bytes.
A package is:
Important: make sure the socket is declared as non-blocking
Go to d:/editorGT/user/system/arguments.txt and add
Diskread –hostIP 192.168.198.10
From now on, any time someone wants to start production of a 3DES file, diskread will ask the key from the host. No key, no production
Simulation with pserver.exe
Start the pserver in a DOS console in c:\pserver and type pserver –trace 0. You will see below until “ Waiting for clients”.
To get the version type pserver -help
Start an example client a DOS console in c:\pserver and type pserver –client. You will see below until “Open / Add rec / Close / request Key / Request status”. To open, enter O or o [Enter] and type in the file name [Enter], for example “123.3des”. Then press A or a to add sample records. Then type C or c [Enter] to close. You should have a file in the place you wanted.
This is just an example because you have to do client for your application.