LATEST VERSION: 8.2.8 - CHANGELOG
Pivotal GemFire® v8.2

Encrypt Credentials with Diffie-Hellman

Encrypt Credentials with Diffie-Hellman

For secure transmission of sensitive information, like passwords, you can encrypt credentials using the Diffie-Hellman key exchange algorithm.

This encryption applies only to client/server authentication - not peer-to-peer authentication.

You need to specify the name of a valid symmetric key cipher supported by the JDK. Valid key names, like DES, DESede, AES, and Blowfish, enable the Diffie-Hellman algorithm with the specified cipher to encrypt the credentials. For valid JDK names, see http://download.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html#AppA.

Before you begin, you need to understand how to use your security algorithm.

Enable Server Authentication of Client with Diffie-Hellman

Set this in property in the client’s gemfire.properties (or gfsecurity.properties file if you are creating a special restricted access file for security configuration):
  • security-client-dhalgo. Name of a valid symmetric key cipher supported by the JDK, possibly followed by a key size specification.
This causes the server to authenticate the client using the Diffie-Hellman algorithm.

Enable Client Authentication of Server

This requires server authentication of client with Diffie-Hellman to be enabled. To have your client authenticate its servers, in addition to being authenticated:
  1. In server gemfire.properties (or gfsecurity.properties file if you are creating a special restricted access file for security configuration), set:
    1. security-server-kspath. Path of the PKCS#12 keystore containing the private key for the server
    2. security-server-ksalias. Alias name for the private key in the keystore.
    3. security-server-kspasswd. Keystore and private key password, which should match.
  2. In client gemfire.properties (or gfsecurity.properties file if you are creating a special restricted access file for security configuration), set:
    1. security-client-kspasswd. Password for the public key file store on the client
    2. security-client-kspath. Path to the client public key truststore, the JKS keystore of public keys for all servers the client can use. This keystore should not be password-protected

Set the Key Size for AES and Blowfish Encryption Keys

For algorithms like AES, especially if large key sizes are used, you may need Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Sun or equivalent for your JDK. This enables encryption of client credentials in combination with challenge-response from server to client to prevent replay and other types of attacks. It also enables challenge-response from client to server to avoid server-side replay attacks.

For the AES and Blowfish algorithms, you can specify the key size for the security-client-dhalgo property by adding a colon and the size after the algorithm specification, like this:
security-client-dhalgo=AES:192
  • For AES, valid key size settings are:
    • AES:128
    • AES:192
    • AES:256
  • For Blowfish, set the key size between 128 and 448 bits, inclusive.