web stats
Encrypt contents of channels - Mirth Community

Go Back   Mirth Community > Mirth Connect > Support

Reply
 
Thread Tools Display Modes
  #1  
Old 07-12-2017, 01:28 AM
dharrys dharrys is offline
What's HL7?
 
Join Date: Dec 2013
Posts: 5
dharrys is on a distinguished road
Default Encrypt contents of channels

Hello,
I am implementing a channel with a database writer. The writer will access the database of my application so it need to provide a database password.
Mirth stores the channel on it's internal database where the password of my database can be easily retrieved.
In general a potential hacker will be able to see how a channel works and this is a big security vulnerability.
Ideally I would like the channels to be encrypted when stored on the database (as data at rest). Is this supported, is there an other workaround?

Thanks
Reply With Quote
  #2  
Old 07-12-2017, 10:52 PM
dharrys dharrys is offline
What's HL7?
 
Join Date: Dec 2013
Posts: 5
dharrys is on a distinguished road
Default Encrypt contents of channels

Hello,
when a channel is saved it is stored at rest in the mirth's internal database. The channel contents like the receiver, the destinator and the java script code (if any) can be easily read by simply editing the relevant database files located in the appdata directory. So, a hacker can easily read the channel.

In my case I need a database writer that will save in the medical application's database personal private data. The data will be encrypted and there will be a channel with a java script that will contain an encryption key and db password.

So if someone steals the server, he could simple open the channel find out the password and encryption key and read the medical database. Is there a method to fill this security hole? Ideally, I would like the channel contents to be encrypted when saved on Mirth's db. Since the mirth admin is password protected they couldn't (easily) read the channels.

I have been through all the Mirth relevant security options like encrypting message contents etc but haven't found something about this issue.

Thanks a lot
Reply With Quote
  #3  
Old 07-13-2017, 08:39 AM
kirbykn2's Avatar
kirbykn2 kirbykn2 is offline
Mirth Guru
 
Join Date: Sep 2014
Location: Michigan
Posts: 577
kirbykn2 is on a distinguished road
Default

I was unable to find a configuration setting for this encryption.

Can this been done at the JDBC driver level?
__________________
Kirby

Mirth Certified|Epic Bridges Certified|Cloverleaf Level 2 Certified

Appliance Version 3.11.2
Mirth Connect Version 3.6.1
Java Version 1.6.0_45-b06
Java (64 bit) Version 1.6.0_45-b06
Java 7 (64 bit) Version 1.7.0_151-b15
Java 8 (64 bit) Version 1.8.0_121-b13
PostgreSQL Version 9.6.3
Reply With Quote
  #4  
Old 07-13-2017, 12:43 PM
cbarlow cbarlow is offline
OBX.2 Kenobi
 
Join Date: Sep 2015
Location: Missouri
Posts: 52
cbarlow is on a distinguished road
Default

If they can hack your Mirth Database, wouldn't they also be able to hack the Medical Database too? The purpose of a database is to have all the security needed. If they can get into your Mirth DB, they are going to get into the rest too. What DB are you running for Mirth?
Reply With Quote
  #5  
Old 07-13-2017, 12:54 PM
dharrys dharrys is offline
What's HL7?
 
Join Date: Dec 2013
Posts: 5
dharrys is on a distinguished road
Default

You mean to implement the database part on a java library which should be obfuscated. It is a solution. Disadvantages are the much more effort to implement/maintain and I believe that java code would be easier to reverse engineer as the key on the java code will not be really encrypted.

I would like to see the channels stored encrypted in a future mirth version though. It should be pretty easy add-on.

Thanks a lot for you for your suggestion, but are there any other workarounds?

Last edited by dharrys; 07-14-2017 at 12:16 AM.
Reply With Quote
  #6  
Old 07-13-2017, 11:09 PM
dharrys dharrys is offline
What's HL7?
 
Join Date: Dec 2013
Posts: 5
dharrys is on a distinguished road
Default

On my database I have the sensitive fields encrypted using 256 AES keys, if mirth could do something similar it will be excellent.

Last edited by dharrys; 07-14-2017 at 12:16 AM.
Reply With Quote
  #7  
Old 07-17-2017, 01:47 AM
siddharth siddharth is offline
Mirth Guru
 
Join Date: Feb 2013
Posts: 832
siddharth is on a distinguished road
Default

I think you should talk to your DBA and IT guys for this question. What cbarlow said is actually right. If you think mirthDB is vulnerable (which I doubt) rest is vulnerable too.
Reply With Quote
  #8  
Old 07-17-2017, 05:58 AM
dharrys dharrys is offline
What's HL7?
 
Join Date: Dec 2013
Posts: 5
dharrys is on a distinguished road
Default

Thanks for your answer. Didn't want to go a lot on the insights but if you open the database files with a simple editor (or linux cat) you will be able to simply read the channels content like javascript code without needing any mirth or db password.

There are solutions like encrypting the complete disk, dividing the key to three parts etc but if the mirth's db was also encrypted it would be a very simple and efficient solution. I would like some expert advice on how db encryption is handled when mirth is involved. This should be very common case for medical solutions.

Btw after some research the suggestion by kirbykn2 about obfuscating the code in a java lib is not sufficient enough as the key would still be readable.
Reply With Quote
Reply

Tags
channel, contents, ecryption, encryption, securiry, security

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -8. The time now is 10:35 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Mirth Corporation