Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide a secure way for register credential api #1759

Merged
merged 3 commits into from
Aug 21, 2024
Merged

Provide a secure way for register credential api #1759

merged 3 commits into from
Aug 21, 2024

Conversation

seokho-son
Copy link
Member

Register Credential Information

// @Description This API is used to register credential information securely. The client must encrypt the sensitive information using a hybrid encryption method before sending it to the server.
//
// The encryption process involves the following steps:
// 1. The client generates a random AES key.
// 2. The credential data is compressed using gzip.
// 3. The compressed data is encrypted using AES (Advanced Encryption Standard).
// 4. The AES key is then encrypted using the RSA public key obtained from the `GET /credential/publicKey` endpoint.
// 5. Both the encrypted AES key and the AES-encrypted data are sent to the server in the request payload.
//
// **Hashing and Encryption Details:**
// - **RSA Key Pair Generation:** The server generates an RSA key pair with a key size of 4096 bits. The RSA public key is used by the client to encrypt the AES key.
// - **AES Encryption:** AES encryption is used for the actual credential data, which is a symmetric encryption algorithm. AES-256 is recommended for this purpose.
// - **Hash Algorithm:** The RSA encryption process uses the SHA-256 hashing algorithm with OAEP (Optimal Asymmetric Encryption Padding) for enhanced security.
//
// **Request Body Structure:**
// - **credentialHolder**: The entity or user that holds the credential (e.g., "admin").
// - **providerName**: The name of the cloud provider (e.g., "aws", "gcp").
// - **credentialKeyValueList**: A list of key-value pairs where the value is encrypted using the AES key, and the AES key is encrypted using the RSA public key. The value should be base64 encoded before being included in the list.
// - **publicKeyTokenId**: The token ID associated with the RSA key pair, which was returned by the `GET /credential/publicKey` endpoint.

Example:

//
//	{
//	  "credentialHolder": "admin",
//	  "providerName": "aws",
//	  "credentialKeyValueList": [
//	    {
//	      "key": "ClientId",
//	      "value": "Base64Encoded(AES_Encrypted(ClientId))"
//	    },
//	    {
//	      "key": "ClientSecret",
//	      "value": "Base64Encoded(AES_Encrypted(ClientSecret))"
//	    }
//	  ],
//	  "publicKeyTokenId": "abcd1234"
//	}
//

@seokho-son seokho-son requested a review from yunkon-kim as a code owner August 21, 2024 13:26
@seokho-son
Copy link
Member Author

/approve

@github-actions github-actions bot added the approved This PR is approved and will be merged soon. label Aug 21, 2024
@cb-github-robot cb-github-robot merged commit 11537be into cloud-barista:main Aug 21, 2024
4 checks passed
@seokho-son
Copy link
Member Author

fyi @yunkon-kim

https://www.nsoftware.com/kb/entries/09051401

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

@yunkon-kim yunkon-kim Awaiting requested review from yunkon-kim yunkon-kim is a code owner

Assignees
No one assigned
Labels
approved This PR is approved and will be merged soon.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@seokho-son @cb-github-robot