I can't get data element encryption to work.
34 views
Skip to first unread message
Rich Brim
Mar 10, 2014, 4:59:55 PM3/10/14
to InterSy...@googlegroups.com
Hi
I am working on encrypting a few on my data fields and can't seem to get it working. I have also tried using managed key file with no luck.
The encrypting part seems to work, but the the decrypting.
ERROR in page definition:
ERROR #5002: Cache error: MVFILE.ParcelModel:%OpenModel: <ILLEGAL VALUE>zDecrypt+3^MVFILE.
I am working on encrypting a few on my data fields and can't seem to get it working. I have also tried using managed key file with no luck.
The encrypting part seems to work, but the the decrypting.
ERROR in page definition:
ERROR #5002: Cache error: MVFILE.ParcelModel:%OpenModel: <ILLEGAL VALUE>zDecrypt+3^MVFILE.
ParcelModel.1
Method %OnLoadModel(pSource As MVFILE.PARCEL) As %Status
{
*key='2848BB11-7468-4A75-BD92-F8AB1D2BE346'
*key='C:\InterSystems\Cache\mgr\ysp.key'
key='1234567890123456'
ciphertext=pSource->PROPERTYOWNERDL
plaintext=@ME->Decrypt(ciphertext,key)
@ME->OwnDL=plaintext
}
Method %OnStoreModel(pSource As MVFILE.PARCEL) As %Status
{
*key='2848BB11-7468-4A75-BD92-F8AB1D2BE346'
*key='C:\InterSystems\Cache\mgr\ysp.key'
key='1234567890123456'
plaintext=@ME->OwnDL
ciphertext=@ME->Encrypt(plaintext,key)
pSource->PROPERTYOWNERDL = ciphertext
}
ClassMethod Encrypt(plaintext,key) As %String [ Language = cache ]
{
Set text=$ZCONVERT(plaintext,"O","UTF8")
//Set text=$SYSTEM.Encryption.AESCBCManagedKeyEncrypt(text,key)
Set text=$SYSTEM.Encryption.AESCBCEncrypt(text,key)
Set ciphertext=$SYSTEM.Encryption.Base64Encode(text)
quit ciphertext
}
ClassMethod Decrypt(ciphertext,key) As %String [ Language = cache ]
{
Set text=$SYSTEM.Encryption.Base64Decode(ciphertext)
//Set text=$SYSTEM.Encryption.AESCBCManagedKeyDecrypt(text)
Set text=$SYSTEM.Encryption.AESCBCDecrypt(text,key)
Set plaintext=$ZCONVERT(text,"I","UTF8")
quit plaintext
}
Here is the class documentation.
classmethod AESCBCEncrypt(plaintext As %String, key As %String, IV As %String) as %String
classmethod AESCBCDecrypt(ciphertext As %String, key As %String, IV As %String) as %String
Method %OnLoadModel(pSource As MVFILE.PARCEL) As %Status
{
*key='2848BB11-7468-4A75-BD92-F8AB1D2BE346'
*key='C:\InterSystems\Cache\mgr\ysp.key'
key='1234567890123456'
ciphertext=pSource->PROPERTYOWNERDL
plaintext=@ME->Decrypt(ciphertext,key)
@ME->OwnDL=plaintext
}
Method %OnStoreModel(pSource As MVFILE.PARCEL) As %Status
{
*key='2848BB11-7468-4A75-BD92-F8AB1D2BE346'
*key='C:\InterSystems\Cache\mgr\ysp.key'
key='1234567890123456'
plaintext=@ME->OwnDL
ciphertext=@ME->Encrypt(plaintext,key)
pSource->PROPERTYOWNERDL = ciphertext
}
ClassMethod Encrypt(plaintext,key) As %String [ Language = cache ]
{
Set text=$ZCONVERT(plaintext,"O","UTF8")
//Set text=$SYSTEM.Encryption.AESCBCManagedKeyEncrypt(text,key)
Set text=$SYSTEM.Encryption.AESCBCEncrypt(text,key)
Set ciphertext=$SYSTEM.Encryption.Base64Encode(text)
quit ciphertext
}
ClassMethod Decrypt(ciphertext,key) As %String [ Language = cache ]
{
Set text=$SYSTEM.Encryption.Base64Decode(ciphertext)
//Set text=$SYSTEM.Encryption.AESCBCManagedKeyDecrypt(text)
Set text=$SYSTEM.Encryption.AESCBCDecrypt(text,key)
Set plaintext=$ZCONVERT(text,"I","UTF8")
quit plaintext
}
Here is the class documentation.
classmethod AESCBCEncrypt(plaintext As %String, key As %String, IV As %String) as %String
This method performs AES encryption in Cipher Block Chained (CBC) mode. Use with AESCBCDecrypt. (See Federal Information Processing Standards Publication 197 and NIST Special Publication 200-38A for more information.)
Input parameters:
plaintext - String to be encrypted. This is padded before encryption to the next mutiple of 16 bytes, using reversible block padding. (See Internet Engineering Task Force Request for Comments 2040 and RSA Laboratories Public-Key Cryptography Standards #7 for more information.)
key - Input key material. Key material 16, 24, or 32 characters long (on Unicode systems, with all character values < 256) is used directly. Otherwise, Password-Based Key Derivation Function #2 (PBKDF2) is used with HMAC-SHA-1, no salt, and one iteration to generate an AES key of the next larger valid size (up to 32 bytes). (See RSA Laboratories Public-Key Cryptography Standards #5 for more information.)
IV - Initialization vector (optional). If this argument is present it must be 16 characters long (on Unicode systems, with all character values < 256). If this argument is omitted (or is an empty string), a null initialization vector is used.
Return value: Encrypted ciphertext.
NOTE: To AES-CBC encrypt and Base64 encode Unicode strings that may contain wide characters, UTF-8 encode the string first:
Set text=$ZCONVERT(plaintext,"O","UTF8")
Set text=$SYSTEM.Encryption.AESCBCEncrypt(text,key,IV)
Set ciphertext=$SYSTEM.Encryption.Base64Encode(text)
To decode and decrypt, perform these operations in the reverse order:
Set text=$SYSTEM.Encryption.Base64Decode(ciphertext)
Set text=$SYSTEM.Encryption.AESCBCDecrypt(text,key,IV)
Set plaintext=$ZCONVERT(text,"I","UTF8")
classmethod AESCBCDecrypt(ciphertext As %String, key As %String, IV As %String) as %String
This method performs AES decryption in Cipher Block Chained (CBC) mode. Use with AESCBCEncrypt. (See Federal Information Processing Standards Publication 197 and NIST Special Publication 200-38A for more information.)
Input parameters:
ciphertext - Encrypted ciphertext, as generated by AESCBCEncrypt.
key - Input key material. Key material 16, 24, or 32 characters long (on Unicode systems, with all character values < 256) is used directly. Otherwise, Password-Based Key Derivation Function #2 (PBKDF2) is used with HMAC-SHA-1, no salt, and one iteration to generate an AES key of the next larger valid size (up to 32 bytes). (See RSA Laboratories Public-Key Cryptography Standards #5 for more information.)
IV - Initialization vector (optional). If this argument is present it must be 16 characters long (on Unicode systems, with all character values < 256). If this argument is omitted (or is an empty string), a null initialization vector is used.
Return value: Decrypted original plaintext, with block padding removed.
David Guest
Mar 13, 2014, 6:52:19 PM3/13/14
to InterSy...@googlegroups.com
I use the Data Element Encryption from MV. You first need to setup the key on the management portal from System Administration > Encryption > Create New Encryption Key, Then activate it for data Element encryption by using the System Administration > Encryption > Data Element Encryption. This will give you a "key" in the following form XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX you use for the encryption routines. Each time you reset or stop the cache instance you need to go into the Data Element Encryption menu and add the key back it will keep the same key name.
I then run the following code where salt is a random string so the same data isn't encrypted identically each time. The key is the key you setup in the management portal. and String is the data to be encrypted.
encryptedString = "%SYSTEM.Encryption"->AESCBCManagedKeyEncrypt(salt:@AM:string, key)
encodedString = "%SYSTEM.Encryption"->Base64Encode(encryptedString)
To Decrypt you just run
encryptedString = "%SYSTEM.Encryption"->Base64Decode(string)
rawString = "%SYSTEM.Encryption"->AESCBCManagedKeyDecrypt(encryptedString)
* Removes the First Attribute from the String returning all other attributes
* The first attribute is the salt added by during encryption
string = FIELD(rawString, @AM, 2, COUNT(rawString, @AM))
Rich Brim
Mar 14, 2014, 5:07:21 PM3/14/14
to InterSy...@googlegroups.com
Hi David,
I was able to get this working with your help and help on ZEN board.
Here is what works.I decided not to use managed key. The decrypt does not like a null or a non-encrypted value.
if plaintext='' then
ciphertext=''
end else
try
ciphertext="%SYSTEM.Encryption"->AESBase64Encode(plaintext,key)
catch errs
ciphertext=''
end try
end
if ciphertext = '' then
plaintext=''
end else
try
plaintext="%SYSTEM.Encryption"->AESBase64Decode(ciphertext,key)
catch errs
plaintext=''
end try
end
thanks again,
Rich
Reply all
Reply to author
Forward
0 new messages