TLS and Password Encryption
Description
Knomi Face Matcher provides a tool to create an encrypted password from a symmetric key.
Nexa Face rest server can be started in TLS mode and for that admin need to provide a server certificate. This server certificate might be created without a password or with a password. If this certificate is created with a password, there are options to provide the password in plain text or encrypted.
aw_knomi_encrypt_password tool can be used to create the encrypted password from a symmetric key and plain password. Besides main output, the encrypted password, this tool also generates an initiation vector as an artifact. Later these initiation vector and same symmetric key need to be used together with the generated encrypted password, if admin choose to use encrypted password with the TLS certificate.
Example
If eg_symmetric_key.txt have the symmetric key with base64 as follows:
mYq3t6w9z$C&F)J@NcRfUjWnZr4u7x!A%D*G-KaPdSgVkYp2s5v8y/B?E(H+MbQeThWmZq4t6w9z$C&F)J@NcRfUjXn2r5u8x!A%D*G-KaPdSgVkYp3s6v9y$B?E(H+MbQeThWmZq4t7w!z%C*F)J@NcRfUjXn2r5u8x/A?D(G+KaPdSgVkYp3s6v9y$B&E)H@McQfThWmZq4t7w!z%C*F-JaNdRgUkXn2r5u8x/A?D(G+KbPeShVmYq3s6v9y$B&E)H@McQfTjWnZr4u7w!z%C*F-JaNdRgUkXp2s5v8y/A?D(G+KbPeShVmYq3t6w9z$C&E)H@McQfTjWnZr4u7x!A%D*G-JaNdRgUkXp2s5v8y/B?E(H+MbPeShVmYq3t6w9z$C&F)J@NcRfTjWnZr4u7x!A%D*G-KaPdSgVkXp2s5v8y/B?E(H+MbQeThWmZq3t6w9z$C&F)J@NcRfUjXn2r5u7x!A%D*G-KaPdSgVkYp3s6v9y/B?E(H+MbQeTh
Then in windows, the output in cmd might look like as follows:
$ aw_knomi_encrypt_password.exe --password-encryption-key eg_symmetric_key.txt --password "abc123"
password-encrypted=6yaSukaeQQ2yRv7m5qZZQA==
password-decryption-iv=uaxG9nLvGqkU0za20RZkKQ==
password-decryption-key=eg_symmetric_key.txt
Output lines can be copied and pasted into the config file that is being used to start the server. The config file might then look like as follows:
model-path=data
host=0.0.0.0
port=8086
log-config=face_matcher_log_config.ini
logged-image-path=images
certificate=<certificate name>
password-encrypted=6yaSukaeQQ2yRv7m5qZZQA==
password-decryption-iv=uaxG9nLvGqkU0za20RZkKQ==
password-decryption-key=eg_symmetric_key.txt
Usage of aw_knomi_encrypt_password tool
In windows:
aw_knomi_encrypt_password.exe --password-encryption-key <file containing symmetric key> --password <plain password>
In Linux:
./aw_knomi_encrypt_password --password-encryption-key <file containing symmetric key> --password <plain password>
Using TLS certificate
TLS certifates can be obtained from any known certificate authorities. For testing purpose ONLY, integrators can use self signed certificate.
mkcert and openssl can be used to create self signed certificate with or without password.
Windows
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
choco install mkcert
mkcert -install
mkcert localhost 127.0.0.1
It might create e,g. following pem files, first one with private key inside it, and 2nd one having certificate inside it.
localhost+1-key.pem
localhost+1.pem
Copy at first the content of the key file and then the certificate file into a new file e.g. localhost.pem. Now localhost.pem file is ready to be used to start the rest server.
If integrator wants to use TLS certificate with password, she can use openssl to achieve that. Openssl can be installed in various ways. If there is git installation, that also provides a openssl binary in usrbin directory. This following command will ask for password together with other option to provide various metadata.
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
key.pem
cert.pem
Copy at first the content of the key file and then the certificate file into a new file e.g. localhost.enc.pem. Now localhost.enc.pem file is ready to be used to start the rest server together with the password.
Linux
wget -O mkcert https://github.com/FiloSottile/mkcert/releases/download/${VER}/mkcert-${VER}-linux-amd64
chmod +x mkcert
mkcert -install
mkcert localhost 127.0.0.1
It might create e,g. following pem files, first one with private key inside it, and 2nd one having certificate inside it.
localhost+1-key.pem
localhost+1.pem
Copy at first the content of the key file and then the certificate file into a new file e.g. localhost.pem. Now localhost.pem file is ready to be used to start the rest server.
If integrator wants to use TLS certificate with password, she can use openssl to achieve that. This following command will ask for password together with other option to provide various metadata.
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
key.pem
cert.pem
Copy at first the content of the key file and then the certificate file into a new file e.g. localhost.enc.pem. Now localhost.enc.pem file is ready to be used to start the rest server together with the password.
If the integrator wants to create the certificate with IP of the server instead of localhost, integrator can create the following config file e.g. cert_config.txt
[req]
default_bits = 4096
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = MA
L = some_city
O = some_company
OU = some_unit
CN = <server ip>
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = <server ip>
Then use this config file as in the following command. Now server can be accessed from another machine.
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -config cert_config.txt