-
Notifications
You must be signed in to change notification settings - Fork 26
Encryption of Intercepted Payload
In some jurisdictions, the agencies may mandate that the CC and IRI content for an intercept must be encrypted as per the specifications in Annex G of the ETSI TS 102 232-1 standard.
From OpenLI 1.1.1 onwards, collectors are now able to perform this encryption for all supported intercept types. To enable this capability, two additional configuration options must be provided when adding the intercept to the provisioner:
-
payloadencryption-- the encryption method to use when encrypting payload content. If not specified or set tonone, no encryption is performed for this intercept. -
encryptionkey-- the key to use when encrypting payload content. The encryption key SHOULD be provided by the agency that is requesting the intercept.
The supported payload encryption methods are:
aes-192-cbcnone
More encryption methods may be added upon request.
Note that these options must be specified on a per-intercept basis, i.e. each encrypted intercept should have its own unique encryption key.
Do not enable encryption for an intercept unless explicitly requested by the agency.
An encryption key should be 24 bytes (or characters) in length. If the provided key is shorter than 24 bytes, OpenLI will use null bytes to pad the key to the full length. If the provided key is longer, OpenLI will truncate the key to the first 24 bytes.
Our preferred testing software, tracepktdump, will by default not attempt to decrypt encrypted payload and simply dump the encrypted bytes to the terminal.
However, you may provide tracepktdump with the encryption key by setting the LIBWANDDER_ETSILI_DECRYPTION_KEY environment variable to the hexadecimal ASCII representation of the encryption key prior to running tracepktdump. The tool will then use this key to try and decrypt the encrypted container and display it to you as conventional ETSI encoded payload.
For example, if your encryption key was abcdef, then you should run export LIBWANDDER_ETSILI_DECRYPTION_KEY=616263646566 before using tracepktdump. 61 is the hex ASCII representation of a, 62 is b and so on.
Use your preferred search engine to search for ascii hex table to find a full list of hex representations for the different ASCII characters.