cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1068
Views
11
Helpful
4
Replies

Content Encryption

Hi there,

first of all: Great job with creating RADKit. I've looked through almost all of the available content including the videos that you have online. And I think it's the perfect way of providing remote support for the more sophisticated use cases including API and CLI usage.

My question though is regarding the security and encryption of the commands and it's results itself. In the FAQ it says that everything is encrpted in transport as well as at rest. Does that mean that all data is also encrypted while passing the forwarder? And data cannot be decrypted there? Are we talking about a real end-to-end encrypted session?

Thank you!

Christian

1 Accepted Solution

Accepted Solutions

Frederic Detienne
Cisco Employee
Cisco Employee

We are in flux.

At the moment (19 July 2022), RADKit encrypts everything to/from AWS. We have our own certificates and public keys set up there and perform 2-way authentication with ECDH (sessions keys are unique and unrecoverable). We still decrypt at the AWS load balancer and re-encrypt on the way down.

By October 2022, we are planning to have full end-to-end encryption. We needed to figure out how to make it really secure and understandable by customers (not super-complex, no false sense of security). In that mode the to/from (client  and radkit service IDs) will still be in a clear-text header (for routing and audit trail reasons) but the data will be fully encrypted and that would be unrecoverable by the cloud service.

- Fred from the RADKit team

View solution in original post

4 Replies 4

Frederic Detienne
Cisco Employee
Cisco Employee

We are in flux.

At the moment (19 July 2022), RADKit encrypts everything to/from AWS. We have our own certificates and public keys set up there and perform 2-way authentication with ECDH (sessions keys are unique and unrecoverable). We still decrypt at the AWS load balancer and re-encrypt on the way down.

By October 2022, we are planning to have full end-to-end encryption. We needed to figure out how to make it really secure and understandable by customers (not super-complex, no false sense of security). In that mode the to/from (client  and radkit service IDs) will still be in a clear-text header (for routing and audit trail reasons) but the data will be fully encrypted and that would be unrecoverable by the cloud service.

- Fred from the RADKit team

Hello Frederic,

thank you very much for the response and details. I will take a closer look at RADKit, do some lab work and so on. And I am looking forward to the full content encryption at a later point.

Christian

Wonderful! In the meantime, please consider a joint experiment with us. <nudge>

We will be happy to align RADKit-trained TAC engineers to crunch some real problems and test automations with you.

- Fred from the RADKit team

Frederic Detienne
Cisco Employee
Cisco Employee

Hi Christian,

I just realized I did not follow up after the feature became available. RADKit now offers end-to-end encryption on top of end-to-cloud-to-end encryption.

In brief,  a fully distinct TLS session is created between RADKit Client and RADKit Service with a completely independent set of Diffie-Hellman-negotiated ephemeral keys. The cloud only now sees binary blobs that it cannot decrypt.

Hope this helps!

- Fred from the RADKit team