The exchange of sensitive data across public networks may make it advisable to employ data encryption techniques to mask the FIX application-level messages. This chapter describes issues related to data encryption in FIXAntenna .Net.
In order to operate in secure mode FIXAntenna .Net requires GNU Privacy Guard command-line utility (GnuPG). It may be downloaded from www.gnupg.org. Please follow OS-specific installation instructions included into GNU Privacy Guard distribution when installing. A PATH environment variable must be adjusted after the installation to include the directory containing Gnu PG command-line utility (gpg.exe on Windows).
This topic contains the following sections.
Supported FIX Protocol encryption methods are:
- PGP/DES-MD5 ( EncryptMethod(98) = 5 )
Supported PGP public-key algorithms:
Allowed key size for DSA and ElGamal algorithms is 768 up to 4096 bits. The highest suggested key size is 2048 bits.
FIXAntenna.Net operates in DES Cipher Block Chaining Mode (CBC) only. Applying other DES modes at counterparty's side such as Electronic Codebook Mode (ECB), Cipher Feedback Mode (CFB) will lead to premature session termination.
FIXAntenna.Net library has no own keyring storage and uses GnuPG keyring storages instead.
Establishing a secure FIX session requires at least two PGP keys to be present in GnuPG keyring storages. These are:
- Public encryption key of the recipient (identified by TargetCompID (56) ). This encryption key is needed to securely establish a DES session key. The key must be trusted.
- Private signing key of the sender (identified by SenderCompID (49) ). This signing key is needed to authenticate the originator to the recipient and must be trusted.
A secure password is required to access the private key. FIXAntenna.Net looks for this password in the file identified by EncryptionConfigFile configuration property.
All session-level details of FIX encryption are encapsulated inside the FIX Engine (FE).
To create a secure session, call the following method:
FixEngine.CreateSession(string senderCompID, string targetCompID, FixVersion version)
- senderCompID is the name of the sender which can be identified by GnuPG utility. Private key of the recipient must be available in GnuPG private keyring. To access the sender private key, a secure password must be specified in encryption configuration file by the EncryptionConfigFile property.
- targetCompID is the name of the recipient which can be identified by GnuPG utility. Public trusted key of the sender must be available in GnuPG public keyring.
Use the following method to establish a session as Initiator:
Session.ConnectAsInitiator(string host, int port, int heartBtInt, EncryptionMethod encryptionMethod)
Use the following method to establish a session as Acceptor:
where encryptionMethod parameter value must be set to PGP_DES_MD5 for both of the above cases.
Here is an alphabetically sorted list of all encryption parameters with references to their documentation:
This section contains the following subsections.
If "true", the channel binding information will be checked
The default value is "true"
Example: ChanBindingMustBeChecked = true
Example: PGP.key.SENDERCOMPID = PASSWORD
The following software was tested for compatibility with FIXAntenna.Net:
- Gnu Privacy Guard
- Cryptix OpenPGP 20030801 and later snapshots
In fact, any software supporting OpenPGP message format (see RFC2440) is compatible with FIXAntenna.Net. Please refer to GNU Privacy Guard COMPATIBILITY ISSUES for details.