You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are facing the following issue while moving database from one server to another.
Data Migration and Encryption Issue:
Findings:
I performed a data migration from one database to another. I took a dump of the original database from the server and created a new database locally on my system. The database contained the tables eg_enc_symmetric_keys and eg_enc_asymmetric_keys, which hold the encryption keys associated with the tenant_id.
I connected the eg_enc_service to the new database and started the service. However, when the egov_user service called egov_enc_service internally for decryption of user data, it resulted in an error: "unknown error while decryption of data." The logs of egov_enc_service indicated that the error occurred due to a "key not found in the database."
Upon investigation, I found that the key used for encrypting the user data was not present in the database. I compared the data in eg_enc_symmetric_keys and eg_enc_asymmetric_keys from the new database with the original and discovered discrepancies. I truncated the tables and reinserted the data from the original database.
After restarting the service and performing user actions, the same error persisted in egov_user: "unknown error while decryption of data." The error in egov_enc_service now indicated a "Tag Mismatch."
I investigated the "Tag Mismatch" error and discovered that encryption and decryption require matching keys. In our case, either the keys changed, or the ciphertext may have been corrupted. The user data, such as username, name, mobile number, email, and guardian, is stored in an encrypted form. Each piece of data is separated by '|' into key_id and cipherText. The cipherText is used for encryption and decryption.
Here’s an example of the data received for decryption by the egov_user service:
Request received for decryption: [
{guardian=993502|g69qhURa5teh1Hg1XbA7gf1mQ+hV2w==,
username=993502|6Luu5oe//ulJoa0iCllPEuWTmMWa7aO2HSU=,
mobileNumber=993502|6Luu5oe//ulJoa0iCllPEuWTmMWa7aO2HSU=,
name=993502|g69qhURa5teh1Hg1XbA7gf1mQ+hV2w==,
emailId=993502|seD1n9rhqaZe+regIq2Zc/HKl2+6nAWHpPdcYg==}
]
The key_id in the data matches the key_id present in eg_enc_symmetric_keys, but the cipherText used for decryption is causing errors.
Upon further analysis, I found that the encryption service works as follows: When the service connects to a new database and starts, it deletes the existing tables and creates new ones, generating new keys. The database is not used for key matching; instead, the keys are stored in memory in a HashMap. For encryption and decryption, the service fetches data from memory rather than the database. Keys are decrypted and decoded using Base64 and matched before being stored in memory. If the keys do not match, a "Tag Mismatch" error occurs.
Despite changing the data in the table and restarting the service, the "Tag Mismatch" error persists.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
UPYOG
-
Dear Sir,
We are facing the following issue while moving database from one server to another.
Data Migration and Encryption Issue:
Findings:
I performed a data migration from one database to another. I took a dump of the original database from the server and created a new database locally on my system. The database contained the tables eg_enc_symmetric_keys and eg_enc_asymmetric_keys, which hold the encryption keys associated with the tenant_id.
I connected the eg_enc_service to the new database and started the service. However, when the egov_user service called egov_enc_service internally for decryption of user data, it resulted in an error: "unknown error while decryption of data." The logs of egov_enc_service indicated that the error occurred due to a "key not found in the database."
Upon investigation, I found that the key used for encrypting the user data was not present in the database. I compared the data in eg_enc_symmetric_keys and eg_enc_asymmetric_keys from the new database with the original and discovered discrepancies. I truncated the tables and reinserted the data from the original database.
After restarting the service and performing user actions, the same error persisted in egov_user: "unknown error while decryption of data." The error in egov_enc_service now indicated a "Tag Mismatch."
I investigated the "Tag Mismatch" error and discovered that encryption and decryption require matching keys. In our case, either the keys changed, or the ciphertext may have been corrupted. The user data, such as username, name, mobile number, email, and guardian, is stored in an encrypted form. Each piece of data is separated by '|' into key_id and cipherText. The cipherText is used for encryption and decryption.
Here’s an example of the data received for decryption by the egov_user service:
Request received for decryption: [
{guardian=993502|g69qhURa5teh1Hg1XbA7gf1mQ+hV2w==,
username=993502|6Luu5oe//ulJoa0iCllPEuWTmMWa7aO2HSU=,
mobileNumber=993502|6Luu5oe//ulJoa0iCllPEuWTmMWa7aO2HSU=,
name=993502|g69qhURa5teh1Hg1XbA7gf1mQ+hV2w==,
emailId=993502|seD1n9rhqaZe+regIq2Zc/HKl2+6nAWHpPdcYg==}
]
The key_id in the data matches the key_id present in eg_enc_symmetric_keys, but the cipherText used for decryption is causing errors.
Upon further analysis, I found that the encryption service works as follows: When the service connects to a new database and starts, it deletes the existing tables and creates new ones, generating new keys. The database is not used for key matching; instead, the keys are stored in memory in a HashMap. For encryption and decryption, the service fetches data from memory rather than the database. Keys are decrypted and decoded using Base64 and matched before being stored in memory. If the keys do not match, a "Tag Mismatch" error occurs.
Despite changing the data in the table and restarting the service, the "Tag Mismatch" error persists.
Beta Was this translation helpful? Give feedback.
All reactions