Home | Documentation |
The mecevp streaming message encryption and decryption engine
updated Mon May 13 2024 by Robert van Engelen
|
The gSOAP mecevp engine encrypts and decrypts messages using the EVP interface of OpenSSL. It supports envelope encryption/decryption with public and private RSA keys and symmetric encryption with shared secret keys. Streaming and buffered message encryption modes are supported.
An encryption and decryption algorithm and mode is selected with one of the following:
where, in the above, AES256 can be replaced with AES128 ot AES192.
Algorithm options:
The mecevp engine wraps the EVP API with four new functions:
All cipher data is written and read in base64 format.
A higher-level interface for message encryption/decryption in parts (such as individual XML elements) is defined by two new functions:
Compile all source codes with -DWITH_OPENSSL and link with ssl and crypto libraries.
Here is an example to encrypt a message while streaming it to the output. The example uses the public key of the recipient/reader of the message. The recipient/reader uses its private key to decrypt. Envelope encryption is used with SOAP_MEC_ENV_ENC_DES_CBC, which means an ephemeral secret key is generated and encrypted with the public key. This encrypted secret key should be communicated to the recipient/reader with the message to decrypt:
The example given above sends the output to stdout. To save the output in a string use the following in C:
With C++ you should use a string stream:
The decryption by the recipient/reader requires the ephemeral encrypted secret key generated by soap_mec_begin by the sender (as set above) to decrypt the message using envelope decryption with SOAP_MEC_ENV_DEC_DES_CBC.
The example given above reads the input from stdin. To read input from a string use the following in C:
With C++ you should use a string stream:
Note that the encrypted secret key can be sent in the clear or stored openly, since only the recipient/reader will be able to decode it (with its private key) and use it for message decryption.
Symmetric encryption and decryption can be used if both parties can safely share a secret symmetric key that no other party has access to. We use SOAP_MEC_ENC_DES_CBC for encryption and SOAP_MEC_DEC_DES_CBC for decryption using a 160-bit triple DES key. You can also use AES128, AES192, AES256 ciphers.
Here is an example to encrypt a message using a shared secret key while streaming it to the output.
The decryption by the recipient/reader requires the same shared secret key to decrypt the message using envelope decryption with SOAP_MEC_DEC_DES_CBC. This key is secret and unencrypted, so it should never be shared with any other party besides the sender/writer and recipient/reader.