Replace fidelius with a python alternative

[khavinshankar]

Project Detail

CARE is a centralized capacity management and patient management system, central to the 10BedICU Project, integrating patients, doctors, hospitals, labs, specialized treatment centers, hospital administrators, and shifting control cells. Hospitals update crucial information about their assets, providing district administration with a comprehensive view of the healthcare system via smart dashboards. CARE digitizes patient records, streamlines workflows for pandemic management, and is deployed in remote areas, enabling TeleICU services for underserved citizens. It revolutionizes healthcare management, enhancing efficiency, accessibility, and patient outcomes.

Features To Be Implemented

1. Implement the features of fidelius service in Python.
   Basically, we need the following 3 features to be implemented in python 3.
   • Generate key pairs according to the ABDM specifications
   • Encrypt the data according to the ABDM specifications
   • Decrypt the data according to the ABDM specifications
2. Replace the fidelius service with the newly built utility
   Fidelius is used in 2 places, decrypting the incoming data from ABDM and encrypting the outgoing data.
3. Add tests for the newly built utility.

You can use any existing standard python packages to facilitate this.

Context
We are currently using a service called fidelius as a docker container for encrypting and decrypting data. It's used while sending and receiving data through ABDM (Ayushman Bharat Digital Mission or ABDM is a government initiative similar to UPI for exchanging medical records between entities.).

ABDM expects the data to be encrypted and decrypted in a certain way. You can read more about the ABDM specifications here: https://sandbox.abdm.gov.in/abdm-docs/EncryptionAndDecryptionData

Supportive Materials

These material (threads) discuss the issues with python implementation:

• https://devforum.abdm.gov.in/t/help-us-on-curve25519
• https://devforum.abdm.gov.in/t/data-encryption-using-pynacl/3271/6

Learning Path

	Details
Complexity	Medium
Required Skills	Python, Django
Mentors	@vigneshhari , @khavinshankar , @rithviknishad , @gigincg , @Ashesh3 , @sainak
Project Size	175 Hours

Link to documentation for Product Set-Up

1. For setting up the frontend, please refer to the readme file available at: https://github.com/coronasafe/care_fe
2. For setting up the backend, please refer to the readme file available at: https://github.com/coronasafe/care

Acceptance Criteria

• All the CI/CD workflows should pass.
• Code is logically structured for long-term project sustainability.
• Proper descriptions should be included for review purposes.
• QA and Code Review

Milestone

• Get to know CARE as a product and understand the workflow.
• Understand the requirements.
• Implement the tasks mentioned above
• Implement test cases to test the functionality
• Optimise the code
• Review and QA

[praptisharma28]

Would love to work on this under gsoc. @khavinshankar

[nihal467]

Hey everyone,

Thank you for showing interest in the projects. I would like to inform you that we have scheduled EOD calls on Zoom from Monday to Saturday at 7:30 PM to discuss your work and address any doubts with the core team. Alternatively, feel free to use our #care_general Slack channel.

The meeting links will be shared in our #reminder channel in our Slack workspace.

Link to join the Slack: Slack Workspace

Meanwhile, please explore the care platform and familiarize yourself with its features. Feel free to play around with it and assign any open issues as you see fit.

[Talikamuhib]

Hey @khavinshankar i really wanna contribute in this project 💯

[khavinshankar]

Here are some previous research done on this issue by @Ashesh3,

Paper: https://www.iacr.org/cryptodb/archive/2006/PKC/3351/3351.pdf

RFC: https://datatracker.ietf.org/doc/html/rfc7748#section-4.1
EC-Curve25519 - Montgomery curve
p 2^255 - 19
A 486662
order 2^252 + 0x14def9dea2f79cd65812631a5cf5d3ed
cofactor 8

Java:
EC-Curve25519 -> https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/math/ec/custom/djb/Curve25519.java#L19-L20
Parameters: (q=-19, a=1226088772, b=1997588580, n=1559614445, cofactor=8)
Note: https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/crypto/ec/CustomNamedCurves.java#L90-L96

C#:
X25519 -> https://github.com/bcgit/bc-csharp/blob/master/crypto/src/math/ec/rfc7748/X25519.cs#L17-L18

Seems like the Java library uses the Weierstrass form, rather than the Montgomery curve mentioned originally in the paper, whereas their c# library uses Montgomery curve by default. ( Source: bcgit/bc-java#399 )

We need a manual curve if we want to use Weierstrass form in their c# library: https://github.com/bcgit/bc-csharp/blob/master/crypto/test/src/crypto/test/ECTest.cs#L748-L753 since it uses Montgomery curve (a=486662) by default.

If we can get Montgomery form of the Curve25519 working by using a custom EC curve we can replicate the fidelius enc/dec. This library could help: https://github.com/alexmgr/tinyec#working-on-custom-curves

I was unable to find the above in a python library, most use openssl's built in implementation which do not match the parameters we need.
I was able to replicate this in c# and create a native machine executable which would be a drop-in offline replacement for fidelius-cli and is 2x faster. But not really a permanent solution.

The link sent above ( https://github.com/cslashm/ECPy/blob/master/src/ecpy/curve_defs.py#L472 ) for Curve25519 MONTGOMERY has a mismatching 'b' value with the Java Curve25519, hence won't work in our case, unless we can edit it and use it as a custom curve.

For anyone who takes this in future, basically this is what you need implemented in Python:
Algorithm: ECDH (hash: SHA256)
Curve: Curve25519
Type: Weierstrass form
Parameters: (q=-19, a=1226088772, b=1997588580, order=1559614445, cofactor=8)
Basepoint: (-1431493542, 2127483865)
Salt: Random 32bit data

[khavinshankar]

To encrypt and decrypt using existing fedelius service, Try these following steps:

• Create a receiver key pair GET https://fidelius.ohc.network/keys/generate
• Create a sender key pair GET https://fidelius.ohc.network/keys/generate
• Now for encrypting the data, use POST https://fidelius.ohc.network/encrypt , and for the body,

{
   "receiverPublicKey": "receiverKeyPairResponse.publicKey",
    "receiverNonce": "receiverKeyPairResponse.nonce",
    "senderPrivateKey": "senderKeyPairResponse.privateKey",
    "senderPublicKey": "senderKeyPairResponse.publicKey",
    "senderNonce": "senderKeyPairResponse.nonce",
    "plainTextData": "hello world"
}

• Finally for decrypting the encrypted data, use POST https://fidelius.ohc.network/decrypt, and for the body,

{
    "receiverPrivateKey": "receiverKeyPairResponse.privateKey",
    "receiverNonce": "receiverKeyPairResponse.nonce",
    "senderPublicKey": "decryptResponse.keyToShare",
    "senderNonce": "senderKeyPairResponse.nonce",
    "encryptedData": "decryptResponse.encryptedData"
}