STU SDK encryption
Q: How does the STU SDK handle encryption?
There are three levels of encryption:
- STU-300/500/520 - EncryptionHandler
- STU-430/530/540 - EncryptionHandler2
- STU-541 - TLS
EncryptionHandler handles the 300/500/520 encryption using a Diffie-Hellmann key exchange and AES-128 encryption.
EncryptionHandler2 uses standard RSA key exchange (1024-2048 bit) with AES 128-256 bit encryption.
The key sizes and algorithms are fixed for each tablet.
Both handlers encrypt the pen data stream and both provide a level of protection to prevent replay attacks.
The EncryptionHandler and EncryptionHandler2 interfaces are there for the developer to provide the encryption implementation to the Tablet class.
The Tablet class sits on top of Interface and Protocol to provide a simpler interface suitable for most developer needs.
The Tablet class keeps track of whether the developer has enabled encryption (see startCapture() / endCapture() ), what type of tablet is installed and which version of encryption is required.
This can all be done transparently by hand by not using the Tablet class and only using Interface and Protocol, though this is not recommended unless you have a very specific requirement which Tablet class cannot handle.
The Tablet class only facilitates encryption between the developer application and the tablet; it contains no decoding capability itself.
The STU-541 is "secure-by-design" and negotiates a full TLS handshake first and all communication is done over the secure connection after that.
The tablet's private key is signed by a public authority and it is CRL checked.