Data Encryptor Component
Purpose
Encryption Components provide out-of-the-box support for secure, encrypted communication between two systems in situations where they need pipeline data encrypted outside of pure network communications. For example, a user may have a pipeline with data that originates on System A, is routed through System B, and arrives on System C. In a basic pipeline, the data is encrypted as it transits between Systems A and B, and again as it transits from System B to System C. However, the data is unencrypted during its brief stay on System B. If it is desirable for the information to be kept protected while on System B, a user can use the built-in cryptography components to encrypt the data before it leaves System A, and decrypt it after it arrives on System C.
The encryption components act as a pair: an Encryptor and a Decryptor. This pair will operate together to negotiate a secret encryption key that is used to securely share data. Once that negotiation is complete, data can be fed into the Encryptor, encrypted with the negotiated encryption key, and output the encrypted data into the pipeline. When the data arrives at the Decryptor, it is decrypted using the negotiated encryption key, and the decrypted data is output into the pipeline.
Figure 1 - Block Diagram of the Encryption components showing how they connect and the types of data passing between their input and output channels.
Function
The Encryptor Component encrypts data using an authenticated symmetric encryption algorithm. The encrypted data is output to the pipeline for later decryption by a Decryptor Component. To successfully complete this encryption/decryption process, the Encryptor and Decryptor need to have the same encryption key. The generation and exchange of this encryption key is accomplished using the Diffie-Hellman Key Exchange algorithm. The key agreement data is exchanged on the Negotiate channel.
If a signal arrives on the Renegotiation Channel, the Diffie-Hellman Key Exchange algorithm is triggered again, and a new key is negotiated with the Decryptor. During this renegotiation phase, data will continue to be encrypted by the Encryptor using the previously negotiated key. Once the renegotiation is complete, the Encryptor will switch keys and encrypt all subsequent data using the new key.
Because key negotiation occurs out of band, the Encryptor component will add the ID of the encryption key used to encrypt an incoming Raw Data to the outgoing object’s Tags. This ID identifies the key the data was encrypted with. This tag will always be the tag of the most recently negotiated key.
To ensure the integrity of the encrypted data being sent out from this component, the Encryptor will use an authenticated encryption algorithm, such as AES-GCM.
Data Governance
The output data item of the Encryptor component is registered as being derived from its input data item.
Input Channels
negotiate — Handles the receipt of DHNegotiationObject from the Decryptor.
renegotiation — Receipt of a SignalData object triggers a new key negotiation.
default — Handles the RawData that is to be encrypted by the Encryptor. The Raw Data is encrypted, tagged as Encrypted Data, and output to the default Output Channel. If a key has not yet been negotiated, the data will be rejected. It can be tried again once the negotiation has finished.
Output Channels
negotiate — Sends DHNegotiationObject instances down the pipeline to the matching Decryptor instance. This Output Channel must be connected to the negotiate Input Channel of the paired Decryptor.
default — Returns RawData objects containing the encrypted input data. The Raw Data objects are tagged to indicate that they are encrypted and which key was used to encrypt the data. The object also contains all the tags that were on the input RawData object.
Parameters
keyLength — (int, Default: 128) The size of the encryption key, in bits, to use when encrypting data. This value should match the value specified for the Decryptor.