Guide to the Whole Process of Tile Encryption

Feedback

In order to prevent tile data crawling and further enhance the security of use, SuperMap 11i (2024) series products provide full-process tile encryption capability from server-side encryption to client-side decryption. At the same time, the encryption algorithm also supports the national standard. SM4 state secret algorithm.

This chapter will introduce in detail how to encrypt tile data in SuperMap iServer and how to decrypt and browse tile data in SuperMap Web client to help the safe use of tile data in actual business.

I. Encrypt tile data in SuperMap iServer

1. Encryption algorithm supported by SuperMap iServer

1）SM4

SM4 algorithm, the full name of SM4 block cipher algorithm, is a commercial cryptographic algorithm standard issued by the State Encryption Administration of China. In SuperMap The algorithm is built in iServer, and the mode and key length used when encrypting tile data are defaulted as follows:

Support CTR mode algorithm. When using the default value of SM4, it represents the use of SM4/CTR encryption and decryption
Key length: 128 bits

2）AES

AES (Advanced Encryption Standard) algorithm, the most common symmetric encryption algorithm, is a block encryption standard adopted by the Federal Government of the United States. Built in this algorithm in SuperMap iServer, the default mode and key length used for encrypting tile data are as follows:

Support CTR mode algorithm. When the default value, AES, is used, AES/CTR encryption and decryption is used
Key length: 256 bits

2. The tile encryption in SuperMap iServer

SuperMap iServer implements tile encryption by dynamically encrypting service interfaces that obtain tiles from different services. Encryption configuration and authentication methods are described below.

1) Encryption algorithm configuration

The encryption algorithm and specification are configured through the < encryption > node, located in the < security> node of iserver-system.xml ( ( 【SuperMap IServer installation directory】\webapps\iserver\WEB-INF), the specific example is as follows:

      <!-- iServer encryption algorithm and specification configuration -->                
      <encryption class="com.supermap.server.config.EncryptionSetting">           
        <serviceKeySettings>
          <serviceKeySetting>   
            <keyID>keyID1</keyID>  
            <version>1.1</version>                     
            <algorithm>SM4</algorithm>                     
            <keyLength>128</keyLength>                     
          </serviceKeySetting>
        </serviceKeySettings>
        <keyProviderSettings>
           <keyProvider>com.supermap.model.util.SM4SecretKeyProvider</keyProvider>
        </keyProviderSettings> 
      </encryption>

Among,

< serviceKey Settings >: GIS service dynamic encryption algorithm settings node. Encryption algorithms can be configured in this node for multiple service components, each is set in the < serviceKeySetting > node, with the configuration item < keyID > as the identifier. Specifically, the following configuration items are included:

< keyID >: 【Required parameter】 The identifier of each service components encryption algorithm. Only letters and numbers are supported, for example, keyID1. Corresponding to the <keyID> in the GIS service dynamic encryption configuration file (【SuperMap iServer installation directory】\webapps\isurver\WEB-INF\config\isurver-svcworkkeymappings. xml) to ensure effectiveness. Note: keyIDs of different service components cannot be the same
< algorithm >: 【Required】 Name of the encryption algorithm. The algorithm name supports two-segment writing, such as SM4/CTR, and also supports default writing, such as SM4.
< keyLength >: Key length, in units of b. When using the SM4 algorithm, it can be set to 128, and when using AES, it can be set to 256. The default values are as follows: Encryption algorithm supported by SuperMap iServer .
< version >: Key version information, for example: 1.1.

< keyProvider Settings >: Key settings node. If you need to configure an external key, you can configure a custom key in this node. Multiple extended keys can be configured in this node, set each in the < keyProvider > node, the iServer will try to get the key in turn. If it is not set, the built-in key of iServer will be used, including the following configuration items:

< keyProvider >: Extended key class name. The class name is the package path of the jar package, for example: com.supermap.model.util.SM4SecretKeyProvider. In real project use, you need to compile the jar package into a class file first, and then the file is stored in 【SuperMap iServer installation directory】\webapps\iserver\WEB-INF\classes. In that example above, the storage path of the corresponding class file is: 【SuperMap iServer Install Directory】\webapps\iserver\WEB-INF\classes\com\supermap\model\util\SM4SecretKeyProvider.class. For the implementation method of extending the custom external key, please refer to Extending the Encryption Key

2) GIS service dynamic encryption configuration (including tile encryption of vector tiles, 3D model tiles, etc.)

In order to use the expected encryption method for tiles, it is also necessary to dynamically encrypt the GIS services that can obtain this type of tile in the iserver-vcworkkeymappings.xml file (under SuperMap iServer installation directory\webapps\isurver\WEB-INF\config). The following are examples of configuring interfaces for tile encryption in 3D, map, and data services:

 <?xml version="1.0" encoding="UTF-8"?>                
 <svcworkkeymappings>          
     <!-- Encryption configuration of 3D service components (taking model tiles with a suffix of. s3m as an example)-->
     <serviceType>   
         <typeName>com.supermap.services.components.impl.RealspaceImpl</typeName>  
         <keyID>keyID1</keyID>                     
         <urls>                     
            <string>/iserver/services/.*?/rest/realspace/datas/.*?/data/path/.*?/.*?\.s3m.*</string>                     
         </urls>
     </serviceType>
     <!-- Encryption configuration of map service component (taking vector tiles with suffix. mvt as an example)-->
     <serviceType>
         <typeName>com.supermap.services.components.impl.MapImpl</typeName>
             <keyID>keyID2</keyID>
             <urls>
                 <string>/iserver/services/.*?/rest/maps/.*?/tileFeature\.mvt.*</string>
                 <string>/iserver/services/.*?/restjsr/v1/vectortile/maps/.*?/tiles/.*?/.*?/.*?\.mvt.*</string>
             </urls>
     </serviceType>
     <!-- Encryption configuration of data service components (taking vector tiles with a suffix of. mvt as an example)-->
     <serviceType>
         <typeName>com.supermap.services.components.impl.DataImpl</typeName>
         <keyID>keyID3</keyID>
         <urls>
             <string>/iserver/services/.*?/rest/data/datasources/.*?/datasets/.*?/tileFeature\.mvt.*</string>
         </urls>
     </serviceType>
</svcworkkeymappings>

Among,

< typeName >: Service component name, available in service config file (【SuperMap IServer installation directory】\webapps\iserver\WEB-INF\iserver-services.xml).
< keyID >: The encryption algorithm identifier should correspond to the <keyID> in the system configuration file (【SuperMap iServer installation directory】\webapps\isurver\WEB-INF\iserver-system.xml). Note: a type of service components can only correspond to one keyID, and different service components cannot be consistent.
< urls >: Eervice interfaces requiring encryption. Multiple interfaces of the same service component can be configured in this node, each Set in the < string > node, and must be able to match the actual request URL. There are the following rules:

Should contain the request path in addition to the full resource URL
Use ". *?" instead for non-fixed values, such as the service components name map-world
After resource and before file suffix, separated by "\"

For example, to the vector tiles service tiles interface (example Url: http://localhost:8090/iserver/services/map-world/restjsr/v1/vectortile/maps/World/tiles/0/0/0.mvt), then < string > node needs to be configured as /iserver/services/.*?/restjsr/v1/vectortile/maps/.*?/tiles/.*?/.*?/.*?\.mvt.*

3) Validation of encryption configuration

After completing the above configuration, restart SuperMap iServer and publish services, and the tile encryption configuration will take effect. You can verify this in two ways.

When browsing vector tile maps using iServer's built-in 2D representations (iClient for Openlayers3 (with MVT), for MapboxGL) and 3D representations (WebGL3D, Cesium), it does not display when browsing 3D model data or scenes
Request encrypted service resources, and the response body should be able to return encrypted information. For example, when executing a get request on localhost: 8090/iserver/services/map-ChinA100.json, the response body is as follows:

{

...

"serviceEncryptInfo":

{

"encrptSpec":

{

"keyLength":128,

"attributes":null,

"version":"1.1",

"algorithm":"SM4"

}

"updateTime":"Fri Sep 06 10:07:15 CST 2024",

"encrptKeyID":"keyID1"

}

...

"url": "http://localhost:8090/iserver/services/map-China100/restjsr"

}

II. Decrypting and browsing tile data in SuperMap web client

The tile data encrypted by SuperMap iServer can only be browsed through client decryption. The following will introduce how to load and display encrypted tile data from two aspects: SuperMap 2D client and 3D client.

1. Two-dimensional client decryption

OpenLayers and MapboxGL are available in SuperMap iClient 11i (2024) API for decrypting and browsing vector tiles data, Please refer to the version of SuperMap iClient the official website help documentation. A brief sample code is provided below to illustrate the specific application:

1）for OpenLayers

const styleURL =

"http://localhost:8090/iserver/services/map-China100/restjsr/v1/vectortile/maps/China_4326/style.json";

...

style.on('styleloaded', function () {

const vectorLayer = new ol.layer.VectorTile({

declutter: true,

source: new ol.source.VectorTileSuperMapRest({

style: styleURL,

projection: 'EPSG:4326',

format: format,

decrypt: true //Decryption parameters

}),

style: style.getStyleFunction()

});

map.addLayer(vectorLayer);

});

</script>

2）for MapboxGL

Add the decryptSources class to the regular code and configure the source value in style, such as China. After the code is executed, the iServer published service can be decrypted and rendered in vector tiles.

mapboxgl.supermap.decryptSources.set(["China"]); //Decryption parameters

var map = new mapboxgl.Map({

container: "map",

renderWorldCopies: false,

style: "http://172.16.15.94:8090/iserver/services/map-China100/rest/maps/China/tileFeature/vectorstyles.json?type=MapBox_GL&styleonly=true",

center: [106, 35],

zoom: 4

});

</script>

2. 3D client decryption

Support for SuperMap iClient3D for WebGL/WebGPU 11i (2024) SP1 The S3M 3D model tile is decrypted and browsed. There is no need to add more parameters in the code. After SuperMap iServer is introduced to use the 3D service address published by the 3D model tile, the code can be executed for browsing. A brief sample code is provided below to illustrate the specific application:

function init(SuperMap3D, scene, viewer) {

...

try{

var promise = scene.open("http://localhost:8090/iserver/services/3D-CBD/rest/realspace");

SuperMap3D.when(promise,function(layers){

var layer = scene.layers.find('Config');

sceneLayer = layer;

},function(){

var title = 'Failed to load SCP, please check the network connection status or if the URL address is correct?';

widget.showErrorPanel(title, undefined, e);

});

}

catch(e){

if (widget._showRenderLoopErrors) {

var title = 'An error occurred during rendering, rendering has been stopped.';

widget.showErrorPanel(title, undefined, e);

}

...

}

</script>