Algorithms

Algorithm Configuration

The following start options are used to configure the security algorithms:

Transition Algorithms (1. June 2017)

  • Signature:
    • Hashfunction:SHA256 / SHA512
    • Signature procedure: sha256RSA / sha512RSA
  • Encryption
    • Content-Encryption: AES-128 CBC or AES-192 CBC
  • Key-Encryption: RSAES-PKCS1-v1_5

Use these JAVA_OPTS:

  • -Dsigning_algorithm=SHA256WITHRSA or SHA512WITHRSA
  • -Dcontent_encryption_algorithm=AES128_CBC or AES192_CBC
  • -Dkey_encryption_algorithm=rsaEncryption

New Algorithms (1. Jan 2018)

  • Signature:
    • Hashfunction (Hash algorithm): SHA-256 or SHA-512
    • Signature procedure (Signature algorithm): RSASSA-PSS
  • Encryption:
    • Key encryption: RSAES-OAEP (with hash function SHA-256)
    • Content encryption: AES-128 CBC oder AES-192 CBC

Use these JAVA_OPTS:

  • -Dcontent_encryption_algorithm (Default: AES128_CBC)
  • -Dkey_encryption_algorithm (Default: id_RSAES_OAEP)
  • -Dsigning_algorithm (Default: SHA256withRSAandMGF1)

Specific Algorithms for specific Recipients

You can configure different algorithms for different recipients. Recipients are distinguished by their certificate-alias (usually ILN/Mail).

Instead of defining a single algorithm, use the following syntax:

content_encryption_algorithm=Algo1:[alias1,alias2];Algo2:alias3;Algo3

In this example for recipients alias1/alias2 the algorithm Algo1 is used. For recipient with alias2 the algorithm Algo2 is used. For all other recipients Algo3 is used.

Specification:

The property value (right side of equal sign) is a list of algorithm-alias assignments, separated by ;.

An assignment is a pair of algorithm and aliases, divided by :. The aliases are optional. An algorithm without aliases is used as fallback value. If no fallback is specified, the default values are used as fallback.

The aliases are a list of at least one alias, separated by ,. The list can be enclosed by [ ].

This syntax works for content_encryption_algorithm, key_encryption_algorithm, signing_algorithm.

Don’t be confused when configuring the signing algorithm: You configure the algorithm to be be used for signing of outbound messages, thus the signature by your system/sender. However the configuration is based on the partner/recipient.

View Me   Edit Me