Versions Compared

Old Version 2

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

What:

Dovetail will provide a optional parameter "-e" ("–encrypt") for user to encrypt the test way to authenticate the integrity for both dovetail tool and report.

With this parameterapproach, dovetail will generate a report in cipher-text and a secret key in cipher-text together instead of a single plain-text report.generates a digital signature along with the plain-text report . Then the reviewer can use this signature to validate the integrity of the dovetail tool and the report. 

Why:

The report in plain-text is vulnerable from malicious attacks.If user want to secure their report and do not want the report be peeked at by any unexpected person,they can simply add this parameter into the command line, can be easily modified during storage and transportation.

Reviewer needs to make sure that the report is generated by a validated tool from the release and its result can not be modified to remove a failure or something like that.

Users do not need to know or learn any details about that how to encryptthis procedure.

How:

First make sure you get a RSA public key from whom will receive your report, may be it is a 3rd party certification authority.

The whole encryption and decryption workflow show as following:

  1. dovetail generate a report and a random secret key
  2. encrypt this report with this secret key by AES256 encryption algorithm
  3. encrypt this secret key with RSA public key by RSA encryption algorithm
  4. send encrypted report and secret key to your target receiver
  5. the receiver decrypt the secret key with his own RSA private key to get original secret key
  6. then receiver decrypt the report with this secret key to get the plain-text report

Image Removed1. proposal for container security:

Temporary test results in container can be modified as well, we can improve this by following: 

1) the upstream project to do authentication on themselves

2) setup a database, and the database is dedicated for dovetail results, people with no permit can not access the database

3) use the REST API of FUNCTEST/YARDSTICK with SSL to make sure that these results are just existing in secured transportation and saved to db, and then no one can touch them.

 

Image Added

Remark: It is optional to upload the result to remote db. When user want to "dry run" the test, then all results will be stored locally. So it's convenient for users to adjust/modify their platform for a better result.