About the BIRT default encryption plug-in
BIRT’s default encryption algorithm is implemented as a plug-in named:
Table 44‑1 shows the location of this plug-in folder in the supported BIRT environments.
Table 44‑1 Locations of the default encryption plug-in folder
Font configuration file folder location
BIRT Designer Professional
About supported encryption algorithms
Two different cryptographic methods, private-key and public-key encryptions, solve computer security problems. Private-key encryption is also known as symmetric encryption. In private-key encryption, the sender and receiver of information share a key that is used for both encryption and decryption. In public-key encryption, two different mathematically related keys, known as a key pair, are used to encrypt and decrypt data. Information encrypted using one key can only be decrypted by using the other member of the key pair. The BIRT default encryption plug‑in supports the following algorithms within these two methods:
*Private-key encryption
*DES is the Digital Encryption Standard as described in FIPS PUB 46‑2 at http://www.itl.nist.gov/fipspubs/fip46‑2.htm. The DES algorithm is the most widely used encryption algorithm in the world. This algorithm is the default encryption that BIRT uses.
*DESede, triple DES encryption
Triple-DES or DESede is an improvement over DES. This algorithm uses three DES keys: k1, k2, and k3. A message is encrypted using k1 first, then decrypted using k2, and encrypted again using k3. This technique is called DESencryptiondecryptionencryption. Two or three keys can be used in DESede. This algorithm increases security as the key length effectively increases from 56 to 112 or 168.
*Public-key encryption supports the RSA algorithm
RSA uses both a public key and a private key. The public key can be known to everyone and is used for encrypting messages. Messages encrypted with the public key can only be decrypted using the private key.
About the components of the BIRT default encryption plug‑in
The BIRT default encryption plug-in consists of the following main modules:
*encryption.properties file
About acdefaultsecurity.jar
This JAR file contains the encryption classes. The default encryption plug‑in also provides key generator classes that can be used to create different encryption keys.
About encryption.properties
This file specifies the encryption settings. BIRT loads the encryption type, encryption algorithm, and encryption keys from the encryption.properties file to do the encryption. The file contains pre‑generated default keys for each of the supported algorithms.
You define the following properties in the encryption.properties file:
*Encryption type
Type of algorithm. Specify one of the two values, symmetric encryption or public encryption. The default type is symmetric encryption.
*Encryption algorithm
The name of the algorithm. You must specify the correct encryption type for each algorithm. For the symmetric encryption type, BIRT supports DES and DESede. For public encryption type, BIRT supports RSA.
*Encryption mode
In cryptography, a block cipher algorithm operates on blocks of fixed length, which are typically 64 or 128 bits. Because messages can be of any length, and because encrypting the same plaintext with the same key always produces the same output, block ciphers support several modes of operation to provide confidentiality for messages of arbitrary length. Table 44‑2 shows all supported modes.
Table 44‑2 Supported encryption modes
No mode
Cipher Block Chaining Mode, as defined in the National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) PUB 81, “DES Modes of Operation,” U.S. Department of Commerce, Dec 1980
Cipher Feedback Mode, as defined in FIPS PUB 81
Electronic Codebook Mode, as defined in FIPS PUB 81
Output Feedback Mode, as defined in FIPS PUB 81
Propagating Cipher Block Chaining
*Encryption padding
Because a block cipher works on units of a fixed size, but messages come in a variety of lengths, some modes, for example CBC, require that the final block be padded before encryption. Several padding schemes exist. The supported paddings are shown in Table 44‑3. All padding settings are applicable to all algorithms.
Table 44‑3 Supported encryption paddings
No padding.
Optimal Asymmetric Encryption Padding (OAEP) is a padding scheme that is often used with RSA encryption.
The padding scheme described in RSA Laboratories, “PKCS #5: Password-Based Encryption Standard,” version 1.5, November 1993. This encryption padding is the default.
The padding scheme defined in the SSL Protocol Version 3.0, November 18, 1996, section
*Encryption keys
Actuate provides pre‑generated keys for all algorithms.
Listing 44‑1 shows the default contents of encryption.properties.
Listing 44‑1 Default encryption.properties
#message symmetric encryption , public encryption.
type=symmetric encryption
#private encryption: DES(default), DESede
#public encryption: RSA
# NONE , CBC , CFB , ECB( default ) , OFB , PCBC
# NoPadding , OAEP , PKCS5Padding( default ) , SSL3Padding
#For key , support default key value for algorithm
#For DESede ,DES we only need to support private key
#private key value of DESede algorithm : 20b0020…
#private key value of DES algorithm: 527c2qI
#for RSA algorithm , there is key pair. you should support private-public key pair
#private key value of RSA algorithm: 30820…
#public key value of RSA algorithm: 30819…
#private key
#public key
META-INF/MANIFEST.MF is a text file that is included inside a JAR to specify metadata about the file. Java’s default ClassLoader reads the attributes defined in MANIFEST.MF and appends the specified dependencies to its internal classpath. The encryption plug‑in ID is the value of the Bundle-SymbolicName property in the manifest file for the encryption plug‑in. You need to change this property when you deploy multiple instances of the default encryption plug‑in, as described later in this chapter. Listing 44‑2 shows the contents of the default MANIFEST.MF.
Listing 44‑2 Default MANIFEST.MF
Manifest-Version: 1.0
Bundle-ManifestVersion: 2
Bundle-Name: Actuate Default Security Plug-in
Bundle-SymbolicName: com.actuate.birt.model.defaultsecurity;singleton:=true
Bundle-Version: <release><version>
Require-Bundle: org.eclipse.birt.report.model,
Export-Package: com.actuate.birt.model.defaultsecurity.api
Bundle-ClassPath: acdefaultsecurity.jar
Bundle-Vendor: OpenText Corporation
Eclipse-LazyStart: true
Bundle-Activator: com.actuate.birt.model.defaultsecurity.properties.SecurityPlugin
Bundle-RequiredExecutionEnvironment: JavaSE-1.6
About plugin.xml
plugin.xml is the plug-in descriptor file. This file describes the plug‑in to the Eclipse platform. The platform reads this file and uses the information to populate and update, as necessary, the registry of information that configures the whole platform. The <plugin> tag defines the root element of the plug‑in descriptor file. The <extension> element within the <plugin> element specifies the Eclipse extension point that this plug-in uses, org.eclipse.birt.report.model.encryptionHelper. This extension point requires a sub‑element, <encryptionHelper>. This element uses the following attributes:
The qualified name of the class that implements the interface IEncryptionHelper. The default class name is com.actuate.birt.model.defaultsecurity.api.DefaultEncryptionHelper.
The unique internal name of the extension. The default extension name is jce.
The field indicating whether this encryption extension is the default for all encryptable properties. This property is valid only in a BIRT Designer Professional environment. When an encryption plug-in sets the value of this attribute to true, BIRT Designer Professional uses this encryption method as the default to encrypt data. There is no default encryption mode in iHub and Information Console. The encryption model that BIRT uses supports implementing and using several encryption algorithms. The default encryption plug‑in is set as default using this isDefault attribute. If you implement several encryptionHelpers, set this attribute to true for only one of the implementations. If you implement multiple encryption algorithms and set isDefault to true to more than one instance, BIRT treats the first loaded encryption plug‑in as the default algorithm.
Listing 44‑3 shows the contents of the default encryption plug‑in’s plugin.xml.
Listing 44‑3 Default plugin.xml
<?xml version="1.0" encoding="UTF-8"?>
<?eclipse version="3.2"?>
name="default encryption helper"
extensionName="jce" isDefault="true" />