Functionality
Logging a message
The logging service (as an entity inside the remaining clearinghouse-app) is responsible for orchestrating the flow between document service and keyring service:
When logging a message, the message consists of two parts, originating from the IDS communication structure. There is a header and a payload.
The logging service creates a process id (if not exists) and checks the authorization.
After all prerequisites are checked and completed, the logging-service merges header and payload into a Document starts to get the transaction counter and assigns it to the Document.
Now the document service comes into play: First checking if the document exists already, then requesting the keyring service to generate a key map for the document. The key map is then used to encrypt the document (back in the document service) and then the document is stored in the database.
Finally the transaction counter is incremented and a reciept is signed and send back to the Clearinghouse-EDC.
Encryption
There is a randomly generated Master Key stored in the database.
Each document has a number of fields. For each document a random secret is generated. This secret is used to derive multiple secrets with the HKDF Algorithm from the original secret. These derived secrets are used to encrypt the fields of the document with AES-256-GCM-SIV.
The original secret is encrypted also with AES-256-GCM-SIV with a derived key from the Master Key and stored in the database alongside the Document.