Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1294
Views
11
Helpful
4
Replies

Content Encryption

Go to solution
Christian Drefke
Level 4
Level 4

‎07-18-2022 12:06 PM

Hi there,

first of all: Great job with creating RADKit. I've looked through almost all of the available content including the videos that you have online. And I think it's the perfect way of providing remote support for the more sophisticated use cases including API and CLI usage.

My question though is regarding the security and encryption of the commands and it's results itself. In the FAQ it says that everything is encrpted in transport as well as at rest. Does that mean that all data is also encrypted while passing the forwarder? And data cannot be decrypted there? Are we talking about a real end-to-end encrypted session?

Thank you!

Christian

1 person had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Frederic Detienne
Cisco Employee
Cisco Employee

‎07-19-2022 03:13 AM - edited ‎07-19-2022 03:14 AM

We are in flux.

At the moment (19 July 2022), RADKit encrypts everything to/from AWS. We have our own certificates and public keys set up there and perform 2-way authentication with ECDH (sessions keys are unique and unrecoverable). We still decrypt at the AWS load balancer and re-encrypt on the way down.

By October 2022, we are planning to have full end-to-end encryption. We needed to figure out how to make it really secure and understandable by customers (not super-complex, no false sense of security). In that mode the to/from (client  and radkit service IDs) will still be in a clear-text header (for routing and audit trail reasons) but the data will be fully encrypted and that would be unrecoverable by the cloud service.

- Fred from the RADKit team

View solution in original post

4 Replies 4

Go to solution
Frederic Detienne
Cisco Employee
Cisco Employee

‎07-19-2022 03:13 AM - edited ‎07-19-2022 03:14 AM

We are in flux.

At the moment (19 July 2022), RADKit encrypts everything to/from AWS. We have our own certificates and public keys set up there and perform 2-way authentication with ECDH (sessions keys are unique and unrecoverable). We still decrypt at the AWS load balancer and re-encrypt on the way down.

By October 2022, we are planning to have full end-to-end encryption. We needed to figure out how to make it really secure and understandable by customers (not super-complex, no false sense of security). In that mode the to/from (client  and radkit service IDs) will still be in a clear-text header (for routing and audit trail reasons) but the data will be fully encrypted and that would be unrecoverable by the cloud service.

- Fred from the RADKit team

Go to solution
Christian Drefke
Level 4
Level 4
In response to Frederic Detienne

‎07-19-2022 03:25 AM

Hello Frederic,

thank you very much for the response and details. I will take a closer look at RADKit, do some lab work and so on. And I am looking forward to the full content encryption at a later point.

Christian

0 Helpful

Go to solution
Frederic Detienne
Cisco Employee
Cisco Employee
In response to Christian Drefke

‎07-19-2022 03:54 AM

Wonderful! In the meantime, please consider a joint experiment with us. <nudge>

We will be happy to align RADKit-trained TAC engineers to crunch some real problems and test automations with you.

- Fred from the RADKit team
0 Helpful

Go to solution
Frederic Detienne
Cisco Employee
Cisco Employee

‎03-20-2023 02:03 AM

Hi Christian,

I just realized I did not follow up after the feature became available. RADKit now offers end-to-end encryption on top of end-to-cloud-to-end encryption.

In brief,  a fully distinct TLS session is created between RADKit Client and RADKit Service with a completely independent set of Diffie-Hellman-negotiated ephemeral keys. The cloud only now sees binary blobs that it cannot decrypt.

Hope this helps!

- Fred from the RADKit team
Customers Also Viewed These Support Documents