Digitally signed or sealed process task data


#1

We keep all process data in json. To increase the security level, the data (json) must be digitally signed/sealed, so that even database administrator who have access to Camunda history tables, cannot change the data (json) in backwards.

One option could be to use any external blockchain service (like https://guardtime.com/).
As a good result we are looking (or planning to develop) a Camunda plugin which could be responsible for signing every process task data when process task is completed.

Does anyone have such experience already?


#2

Hi,
In my experience there may be two aspects to what you want to achieve;

  1. Confidentiality - only those who need access to the data can see the data
  2. Integrity - tamper evident & non repudiation…

With regard to 1, encryption is the typical approach. This will likely apply to your process variables (and business data). Ive seen two approaches to this.

If you use something like AWS RDS, then you can encrypt the database such that data at rest, eg backups etc cannot be read without access to the encryption key. Access to the database by DBAs is audited rather than prevented.

The second approach is to perform application layer encryption. In this case, your process tasks would encrypt and decrypt the data on each access etc. Ive easily done this suing client side script in data entry forms and serverside script tasks. A credible javascript crypto library can be found here. The challenge here is managing the crypto keys. AGain a key managament service like AWS KMS can be useful… In addition this thread may be of interest.

With regard to 2, some approaches Ive seen are to create a tamper evident linked list in the audit/history table. Thus for each history entry perform a SHA256 hash of the entry’s content plush the hash of the prior record and store with the entry. More secure approaches use say an HMAC and/or an external timestamp service.

In the longer term, data encryption and a secure, tamper evident audit log would make useful feature requests…

regards

Rob


Process Variable Encryption (scripting)
#3

Hi Erki_Kriks, I am trying to export processes data to json format.
How did you export all process data in json, pls ? Please, see my post below:

Thanks!


#4

Referencing back to the post by @Erki_Kriks, as a much more simple solution to your problem, that is built into Java:

https://docs.oracle.com/javase/8/docs/api/java/security/SignedObject.html

You can setup a third party service that you use to get the Private Key or do the signing and return the SignedObject object, and store that object as a process variable.

You could sign/wrap every process variable or just do a final JSON object at the end of the process that wraps everything into a single SignedObject that represents your stored state.


#5

Here is some code we used previously when doing the RSA Encryption: Process Variable Encryption (scripting)

SignedObject Snippet:

function loadPrivateKey(fileNamePath, setGlobal){
  var keyBytes = java.nio.file.Files.readAllBytes(java.nio.file.Paths.get(fileNamePath))
  var spec = new java.security.spec.PKCS8EncodedKeySpec(keyBytes)
  var kf = java.security.KeyFactory.getInstance("RSA")
  var privateKey = kf.generatePrivate(spec)
  
  // Sets the global variable for Private Key usage
  if (setGlobal == true){
    PRIVATE_KEY = privateKey
  }
  return privateKey
}


function getEnvVar(variableName){
  return java.lang.System.getenv(variableName)
}


loadPrivateKey(getEnvVar('BPM_PRIVATE_KEY'), true)



var SignedObject = Java.type('java.security.SignedObject')
var Signature = Java.type('java.security.Signature')
var signingEngine = Signature.getInstance('SHA256withRSA');

function signObject(objectToSign, privateKey) {
  var signedObject = new SignedObject(objectToSign, privateKey, signingEngine)
  return signedObject
}

var myJsonJs = {
  "someKey1": "someValue1",
  "someKey2": [
    {
      "someInnerKey1": "someInnerValue1"
    },
    {
      "someInnerKey2": "someInnerValue2"
    }
  ]
}
var myJsonSpin = S(JSON.stringify(myJsonJs)) 
var mySignedObject = signObject(myJsonSpin.toString(), PRIVATE_KEY)
execution.setVariable('signedObject', mySignedObject)




#6

I updated the RSA repo to show the usage of Signed Object

see the ./source/rsaSignedObject.js file for full working code and example usage. Readme was also updated.


#7

Hi Joao!

In our project, we do not export or import data to json.
Data itself is in json variable at the beginning already.

Erki