DEOS

D-Box

A D-Box in D-RE is a component into which data may be stored by programs which are authenticated and authorized to have read/write access to the D-Box. The D-Box hashes the data passed to the D-Box with MD5 algorithm, encrypts the hash value with an RSA private key of the D-Box, and stores both the data and the encrypted hash value. When another program retrieves the data from the D-Box, both the data itself and the encrypted hash value are returned to the program, and the program can verify the integrity of the data with the encrypted hash value and the RSA public key of the D-Box corresponding to the private key used to encrypt the hash value. Because the storage capacity of the D-Box is limited, the data which are to be stored in the D-Box must be carefully selected so that the storage is not exhausted.

A D-Box uses several RSA private keys to encrypt hash (digest) values of data stored in the D-Box so that other parties using the D-Box can verify the integrity of the data retrieved from the D-Box by recomputing the hash value and verifying it with the public key of the D-Box. A D-Box uses Public Key Infrastructure (PKI) for other parties using the D-Box to verify the validity of a public key of the D-Box.

A RSA private key may be installed into a D-Box as follows: A manufacturer of D-Boxes creates a pair consisting of an RSA private key and a public key for each D-Box. It will create a public key certificate for the public key which is signed with the public key certificate by the manufacturer itself, and which is obtained from a certificate authority (CA) or trusted third party (TTP), such as VeriSign. The manufacturer then creates a PKCS #12 file from the RSA private key and the corresponding public key certificate, and installs it in the D-Box. After the initial PKCS #12 file is installed, the D-Box generates RSA key pairs for signing log records. New RSA key pairs will be generated to avoid using the same key pair repeatedly.

A D-Box uses the HTTPS (TLS/SSL) protocol to receive log records and to authenticate the sender of the log records. After receiving a log record, the D-Box generates a hash (digest) value of the content of the log record interpreted as an octet string with MD5, encrypts the hash value with the latest private key among key pairs for signing of the D-Box, and stores the log record with the encrypted hash value.

A program which accesses log records from a D-Box retrieves both the log records and the encrypted hash values corresponding to the log records, and verifies that the log records are not tampered by computing the hash value of the retrieved log record and comparing that value with the value of the retrieved hash value decrypted with the public key corresponding to the private key used by the D-Box to encrypt the hash value.

D-Box Server (Platforms in which operations are tested)

  • D-Box Server
    OS: Ubuntu 12.04.3 LTS, CentOS 6.4, Fedora 19
    Python 2.7 (In CentOS 6.4, Python 2.7 needs to be installed.)
    Python packages: PyASN.1 0.1.6, PyCrypto 2.6, PyQt 4.10.1
  • CLI Client
    OS: Ubuntu 12.04.3 LTS, CentOS 6.4, Fedora 19
    Python 2.7 (In CentOS 6.4, Python 2.7 needs to be installed.)
    Python packages: PyASN.1 0.1.6, PyCrypto 2.6
  • Web Browser
    Firefox (Version 20.0), Chrome (Version 26.0)

Download and Installation

Self-extracting installation program (D-Box 1.0.0) (Approximately 194 KB)

D-Box will be installed by downloading and executing this file, which is a self-extracting installation program. By default, this installation program uses a Wizard (with Qt4) to accept parameters, such as HTTP and HTTPS ports. However, with '--run-mode=cli' option, the D-Box will be installed in a console mode (without using Qt) with predefined parameters.

License

Copyright (c) 2012-2013 JST DEOS R&D Center

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Back to top