Ephesoft Encryption Framework

Overview

This document aims at explaining the Ephesoft Encryption framework. This framework enables Ephesoft to encrypt/decrypt the data persisted in XML files and index files while batch processing.  In order to achieve encryption/decryption capabilities Ephesoft maintain encryption/decryption keys at following levels:

  1. Application Level Key
  2. Batch Class Level Key
  3. Batch Instance Level Key
  4. Fuzzy Index
  5. Lucene Index Key
  6. Test KV Key
  7. Test Classification Key
  8. Test-Advance KV Key
  9. Test-Table Key

Ephesoft Encryption Framework

Purpose

Ephesoft Encryption framework enables Ephesoft to secure data from any unauthorized access.

Key Features

  1. Every Application is identified by a unique Key.
  2. All the data persisted in HOCR.xml, Batch.xml and index files etc. is stored on disk in encrypted form to avoid any unauthorized access of critical data while processing.
  3. All the learned samples and learned index files are re-generated whenever there is a change in encryption algorithm.
  4. Any change in Batch Class Key without changing the encryption algorithm does not affect the learned files and thus they are not regenerated in such case.
  5. Batch Class can be imported using the existing Keys as well as by generating the new key from UI.
  6. Only authorized user will be able to decrypt the encrypted Batch.xml file using web service API. An authorized user is one who belongs to the groups/roles assigned to the batch class on which batches are processed.
  7. No Batch can be decrypted on an application other than the application on which it was processed.
  8. Only a super admin can change the encryption key of a batch class.

Assumptions

  1. Application Key should be generated before applying the encryption algorithm on a batch class.
  2. The user needs to make a change in the Scripting plugin for the plugin execution.

Hashing Algorithm

Keys are generated using Hashing algorithm on the data available for generating Keys.

Key Length Hashing Algorithm
128 MD5
256 SHA-256

 


Encryption Algorithm

AES algorithm is backbone of Ephesoft Encryption framework and it is used to encrypt and decrypt the data. Super admin has flexibility to choose between AES-128 / AES-256 bit algorithm. Ephesoft employs “AES-256” cipher which is a NSA Type 1 approved algorithm (suitable for classified national security information)”


Application Level Key- The Crux of Encryption

Application level key concept is very similar to a digital signature or a digital certificate which uniquely identifies an application/entity/organization/individual. Application level key in Ephesoft identifies an application belonging to a customer uniquely.

The Key (identity) provided for application key is used as a secure password for all the key stores generated through-out the process i.e. application level key is responsible for validating that the keys/key-stores being used throughout application at different stages belongs to a particular application (key/key-stores belonging to a particular application will not work on any other unauthorized application).

This key will also be responsible for authentication during the Batch XML decryption, which will not allow the Batch XML to decrypt outside the authorized application (unauthorized applications will not be able to decrypt Batch XML belonging to some other application).


 Levels of Secret Keys

Level Location Mechanism Key Length
Application <Shared-Folders>/ephesoft-key-store-file/ephesoft.keystore Can be generated only once from UI. 128
Batch Class <Batch-Class-folder>/ephesoft-key-store-file/ephesoft.keystore Configurable from UI. 128/256
Batch Instance <ephesoft-system-folder>/<Batch-Instance-ID-Folder>/ephesoft-key-store-file/ephesoft.keystore Generated dynamically using Application Level Key and Batch Class Key. Length of Batch Class Key.
Fuzzy-DB Index <Batch-Class-Folder>/<fuzzy-index-folder>/ephesoft-key-store-file/ephesoft.keystore Generated dynamically using Application Level Key and Batch Class Key. Length of Batch Class Key.
Lucene Key <Batch-Class-Folder>/<lucene-search-classification-sample>/ephesoft-key-store-file/ephesoft.keystore Generated dynamically using Application Level Key and Batch Class Key. Length of Batch Class Key.
Test KV <Batch-Class-Folder>/<test-KV-Folder >/ephesoft-key-store-file/ephesoft.keystore Generated dynamically using Application Level Key and Batch Class Key. Length of Batch Class Key.
Test Advance KV <Batch-Class-Folder>/<test-Advance-KV-Folder>/ephesoft-key-store-file/ephesoft.keystore Generated dynamically using Application Level Key and Batch Class Key. Length of Batch Class Key.
Test Classification <Batch-Class-Folder>/<test-Content-Classification-Folder>/ephesoft-key-store-file/ephesoft.keystore Generated dynamically using Application Level Key and Batch Class Key. Length of Batch Class Key.
Test Table <Batch-Class-Folder>/<test-table >/ephesoft-key-store-file/ephesoft.keystore Generated dynamically using Application Level Key and Batch Class Key. Length of Batch Class Key.

 


Error Messages

Example Error Messages: Probable Cause:
Key store file doesn’t exist. Any of key required for encryption/decryption doesn’t exist.
Keys required for generating the dynamic key doesn’t exist Any of the application key/ Batch Class Key required for generating the dynamic key doesn’t exist.

 


Backup and Recovery

  1. To recover the data in case application key is lost. It is recommended that user should store the application key file in a secure storage device.
  2. It is also recommended to secure the Key-Store file unique password (key_password) from encryption_key_metdata table from the DB.