Skip to content. | Skip to navigation

Sections
Personal tools
You are here: Home Accelerate Articles U2 encryption in an open technology world

U2 Encryption in an Open Technology World

If you have valuable, sensitive, or confidential data, and the data can be accessed or seen by unauthorized people, then data encryption is a must. The extended BASIC APIs of Rocket U2 UniData® and UniVerse® (U2) perform symmetric encryption operations on data using various available ciphers. The heart of the U2 encryption function is the OpenSSL library. Walk through the four worlds of encryption covering C#, Java™, U2 BASIC, and OpenSSL shell scripting and see that encryption of data produced is interchangeable amongst them.

Four worlds of encryption

Level: Introductory

Nik Kesic ( nkesic@rs.com), Software Engineer, Rocket Software

13 Apr 2006


Overview

This article discusses four programming technologies to demonstrate the use of symmetric encryption on a data string:

  • OpenSSL DOS scripting version 0.9.7e 25 Oct 2004
  • C# program with Visual Studio .NET 2003
  • Java program using JDK/JRE 1.5.0_04
  • U2 BASIC using UDT 7.1 or UV 10.1

For simplicity, this article demonstrates all of these program examples using a Windows® XP Professional OS environment. No example uses salt, but the examples provided can be easily adapted. All except the C# example can be migrated to more popular business system environments. Hopefully two of these technologies will answer your current requirements or at the least point you in the right direction. I have also performed benchmarks timing each of these technologies to calculate how long an encryption operation takes.

Before looking at the examples, let's go over some definitions of terms.

 

 

Terminology definitions

What is encryption?

Encryption is the method that converts readable data into cipher data. While encryption has been used to protect communications for as long as open messages have existed, only organizations and individuals with a need for secrecy have made use of it.

Modern day encryption started to get serious during World War II and was made popular in movies about the Enigma cipher machine and the Navajo Wind talkers. The essence of naming the above two examples is that the Enigma was only good if control of the machine and strength of the cipher was guaranteed. Although the Enigma cipher had cryptographic weaknesses, it was only the combination of significant factors such as mistakes by operators, procedural flaws, and the capture of a machine or codebook that allowed codebreakers to read messages.

The Wind talkers, on the other hand, spoke a language only understood by them, which guaranteed secure communications.

Don't forget to note your domicile laws. The information in this document may contradict laws governing your country's mandated policy on cryptology practices. This article does not address those areas of concerns.

Today, as more and more information is available over the public domain, strong encryption is mandated to protect widely used systems, such as Internet e-commerce and database applications where information such as passwords, credit card numbers, and social security numbers can be viewed in plain text. It is also important when you design applications to be aware of cryptology strengths with respect to encryption and decryption operations having an impact on system performance.

If your key to the encryption is secure, and the strength of the cipher used is strong (number of bits used to encrypt data), then the encrypted cipher data will not be easily read by eavesdroppers.

What is encoding?

Encoding is the conversion of some data into another form by using a code which need not be secret. This conversion is done in such a way that re-conversion into the original form is possible by decoding. In contrast to encrypted data, encoded data may well be understandable by someone who knows the code. Encoding and decoding is not used in this article to hide the original content of the data, but is rather used as a mechanism to transport the data easily from point A to point B and back again. Encrypted data tends to be badly viewable and not easily transportable. In the example section later in this article, Base64 encoding is used on encrypted data. Base64 decoding is first used on encoded-encrypted data before decryption can begin.

What is cryptology?

The word cryptology comes from the Greek words kryptos, which means "hidden," and logos, which means "word." It is the branch of science that deals with secret communications by use of codes and ciphers to render clear messages into an incomprehensible form, only readable with secret knowledge.

What are ciphers?

A cipher (also spelled cypher) is an algorithm for performing encryption (and the reverse, decryption) using a series of well-defined steps on individual letters or pairs of letters in a message. One of the simplest ciphers was said to have been used by Julius Caesar when communicating to his generals, and for that reason this type of cipher still bears his name. The Caesar cipher shifts letters.

Below is an example of a Caesar cipher with a 3 position shift:

In today's usage the original information is known as plaintext and the encrypted form as ciphertext. The ciphertext message contains all the information of the plaintext message, but it is not in a format readable by a human or computer without the proper mechanism to decrypt it. The message should resemble random gibberish to those not intended to read it.

Ciphers are usually parameterized by a piece of auxiliary information, called a key. The encrypting procedure is varied depending on the key that changes the detailed operation of the algorithm. Without the appropriate key, the cipher cannot be used to encrypt or decrypt. In the example section later in this article, the RC2 (a symmetric key block cipher, developed by RSA Data Security Inc., and now widely available) encryption algorithm is used.

What are algorithms?

Algorithms are mathematical procedures for performing encryption on data. Through the use of an algorithm, information is made into meaningless cipher text and requires the use of a key to transform the data back into its original form. Blowfish, AES RC4, and RC6 are examples of encryption algorithms

What is salt?

A seed value is used in the encryption of a plaintext password to expand the number of possible resulting cipher texts from a given plaintext. The use of a salt value is a defensive measure to protect encrypted passwords against dictionary attacks.

What are keys?

A key is a sequence of characters used by an encryption algorithm to encrypt plain text into cipher text. The key is the trigger mechanism to the encryption algorithm. Keys must be kept secret.

What is IV?

The Initialization Vector (IV) serves as a seed that is used to encrypt and decrypt the first block of bytes. This ensures that no two blocks of data produce the same block of encrypted text. The size of IV depends on the encryption algorithm and on the cryptographic protocol in use. It is normally as large as the block or as large as the encryption key. The IV must be known to the recipient of the encrypted information to be able to decrypt it.

The following two figures demonstrate the difference between KEY-ACTUAL(HEX VALUE) with IV(HEX VALUE) (Figure 3) and Pass-Phrase(ASCII) with Salt(HEX VALUE) (Figure 4).

Protect your data

Sensitive data should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, use, modification, or disclosure of data. In addition, corporate policy should dictate that any application developed that protects data because of its nature should also provide access to that data to employees only on a need-to-know basis.


Benchmark to understand performance impact of encryption

Encryption of data has its price. It is worth the effort to carefully measure the impact of encryption by considering the following:

  • Performance: Embarking on some elegant campaign to protect data on a system that is already showing strain can be suicide.
  • Strength of encryption: The stronger the encryption, the longer it will take to encrypt or decrypt.
  • Encrypted data size: Encrypted data is larger than the plaintext. In the example used in this article, the original data size was eight characters. After encryption the data grew to 24 characters.
  • Type of data: Plan carefully to define which data attribute needs to be encrypted, as it is probably unnecessary to encrypt all data.
  • Real time encryption/decryption: In an on demand, real-time world, many applications need to traverse the public domain. Careful resource planning will help you prepare an application environment with the necessary overhead to cope with the added work and increased data size.

All the examples in this article offer a simple timer, measuring how much extra time is needed to encrypt / decrypt eight characters of data. You will also notice that the comparison between the Java example and C# is worlds apart. Take care to understand why performance is slow and how careful programming can overcome weaknesses. The examples were coded intentionally to show performance differences and leave the solution to you.

Introduction to the technologies

The four worlds

The four types of technology examined in this article that can be used for encryption are:

It is important to note that all four code examples are simplistic in nature. Providing a base set of working examples seems more important than correct coding policies. Better error detection and error trapping should be implemented when developing real-world applications. All four examples use the following values:

  • KEY (mykey) = ABCDEFGHIJKLMNOP
  • IV (iv) = ABCDEFGH
  • Input Data (instr) = My data string
Back to top

 


 

OpenSSL scripting

OpenSSL scripting is the first and simplest of the examples demonstrated in this article. U2 by default is built with the OpenSSL group of libraries. Also included is the openssl executable, and this is the basis for the script example. No timing is performed using the script.

Note that U2 does not support all the functions available with the openssl command. Visit the OpenSSL Web site for more information (see Resources). Only the enc command and some of the options are used in the scripting example. Listing 1 describes the options used:

 

Listing 1. OpenSSL command reference

 

opensslcommand [ command_opts ] [ command_args ]Command

 enc [ options ] - Encryption and Decryption with Ciphers

Description
The symmetric cipher commands allow data to be encrypted or decrypted 
using various block and stream ciphers using keys based on passwords 
or that are explicitly provided. Base64 encoding or decoding can also be performed 
either by itself or in addition to the encryption or decryption. 

OPTIONS-in filename 
the input filename, standard input by default. 

-out filename 
the output filename, standard output by default. 

-pass arg 
the password source. For more information about the format of arg, see the 
PASS PHRASE ARGUMENTS section in openssl(1). 

-salt 
use a salt in the key derivation routines. This option should ALWAYS be 
used unless compatibility with previous versions of OpenSSL or SSLeay is 
required. This option is only present on OpenSSL, Versions 0.9.5 or later. 

-nosalt 
do not use a salt in the key derivation routines. This is the default for 
compatibility with previous versions of OpenSSL and SSLeay. 

-e 
encrypt the input data: this is the default. 

-d 
decrypt the input data. 

-a 
base64 process the data. This means that if encryption is taking place, the 
data is base64 encoded after encryption. If decryption is set, the 
input data is base64 decoded before being decrypted. 

-A 
if the -a option is set, base64 process the data on one line. 

-k password 
the password to derive the key from. This is for compatibility with previous 
versions of OpenSSL; superseded by the -pass argument. 

-kfile filename 
read the password to derive the key from the first line of filename. This is 
for compatibility with previous versions of OpenSSL; superseded by the -pass 
argument. 

-S salt 
the actual salt to use: this must be represented as a string comprised only 
of hex digits. 

-K key 
the actual key to use: this must be represented as a string comprised only 
of hex digits. If only the key is specified, the IV must additionally be specified 
using the -iv option. When both a key and a password are specified, the key 
given with the -K option will be used and the IV generated from the password 
will be taken. It probably does not make much sense to specify both key and 
password. 

-iv IV 
the actual IV to use: this must be represented as a string comprised only 
of hex digits. When only the key is specified using the -K option, the IV 
must explicitly be defined. When a password is being specified using one 
of the other options, the IV is generated from this password. 

-p 
print out the key and IV used. 

-P 
print out the key and IV used, then immediately exit: don't do any encryption 
or decryption. 

-bufsize number 
set the buffer size for I/O 

-nopad 
disable standard block padding 

-debug 
debug the BIOs used for I/O.

 

DOS script QA1.BAT

The example shown below is a DOS script on a Windows XP platform, using OpenSSL, Version 0.9.7.e.

 

Listing 2. Options used

 

enc     -       Encryption and Decryption with Ciphers
-nosalt -          Do not use a salt in the key derivation routines
-iv     -       16 byte intermediate vector 
-rc2    -       Cipher name - 128 bit RC2 in CBC mode
-K      -       Actual 32 byte key in hexadecimal
\       -       Line continuation character
-p      -       Display iv and key
-a      -       Base64 encode after encryption
        -       Base64 decode before decryption
-d      -       Decrypt the input data
-in     -       Input data file 
-out    -       Encoded/encrypted data file

 

 

Listing 3. Contents of QA1.bat

 

@echo off
echo Start of Encryption Test

openssl enc -nosalt -iv "4142434445464748" -rc2 -K \ 
"4142434445464748494A4B4C4D4E4F50" -p -a -in instring.asc -out outstring.res
echo Encrypted String: && type outstring.res

echo Decrypted String:
openssl enc -d -nosalt -iv "4142434445464748" -rc2 -K \ 
"4142434445464748494A4B4C4D4E4F50" -a -in outstring.res
echo.

 

 

Listing 4. Contents of instring.asc

 

My data string         **** NO linefeed at end

 

 

Listing 5. Screen output

 

Start of Encryption Test
key=4142434445464748494A4B4C4D4E4F50
iv =4142434445464748
Encrypted String:
AJnpU8i3/ckdMUqRBarZzw==
Decrypted String:
My data string

 

 

Listing 6. Contents of outstring.res

 

AJnpU8i3/ckdMUqRBarZzw==

 

Notes

The -salt option should ALWAYS be used if the key is being derived from a password, unless you want compatibility with previous versions of OpenSSL and SSLeay. Without the -salt option, it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason for this is that without the salt, the same password always generates the same encryption key. When the salt is being used, the first eight bytes of the encrypted data are reserved for the salt -- it is generated at random when encrypting a file and read from the encrypted file when it is decrypted.

All the block ciphers normally use PKCS#5 padding, also known as standard block padding. This allows a rudimentary integrity or password check to be performed. However, since the chance of random data passing the test is better than one in 256, it isn't a very good test.

Back to top

 


C# program - rc2crypt2

This is the second of the encryption examples, using C# in a .NET Environment developed on Microsoft Visual Studio .NET 2003. This program uses the same key, iv, and data as the OpenSSL scripting example.

 

Listing 7. rc2crypt2.cs

 

using System;
using System.IO;
using System.Text;
using System.Security.Cryptography;
namespace nikcrypt2
{
   class rc2crypt2
   {
      public static void Main()
      {
         // Input data string
         String instr = "My data string";
         String b64es;
         String decstr;
         byte[] fromEncrypt;
         byte[] encrypted;
         byte[] toEncrypt;
         byte[] es;
         // Create a new 128 bit key.
         byte[] mykey = {0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4A,
         0x4B,0x4C,0x4D,0x4E,0x4F,0x50};
         // Create a new 64 bit initialization vector
         byte[] iv = {0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48};

         // or to be more readable
         // byte[] mykey = Encoding.ASCII.GetBytes("ABCDEFGHIJKLMNOP");
         // byte[] iv = Encoding.ASCII.GetBytes("ABCDEFGH");
    
         try
         {
            // tick counter
            long StartTickValue = Environment.TickCount;
            Console.WriteLine("Start of Encryption Test\n");

            // 
            ASCIIEncoding textConverter = new ASCIIEncoding();

            // RC2 cryptology
            RC2CryptoServiceProvider rc2Crypto = new RC2CryptoServiceProvider();
            Console.WriteLine("Effective key size is {0} bits.", 
            rc2Crypto.EffectiveKeySize);
            Console.WriteLine("Mode is {0}.", rc2Crypto.Mode);

            // set cypher mode 
            // By default cypher mode CBC is selected ... change CBC to CFB, CTS, ECB, 
            // OFB as needed.
            rc2Crypto.Mode = System.Security.Cryptography.CipherMode.CBC;   
            Console.WriteLine("");

            // Display Key
            String inKey = textConverter.GetString(mykey);
            Console.WriteLine("Input Key:   {0}", inKey);

            // Display IV
            String inIV = textConverter.GetString(iv);
            Console.WriteLine("Input IV:   {0}", inIV);
            
            // Get an encryptor from key and IV.
            ICryptoTransform encryptor = rc2Crypto.CreateEncryptor(mykey, iv);

            // Encrypt the data.
            MemoryStream rc2msEncrypt = new MemoryStream();
            CryptoStream rc2csEncrypt = new CryptoStream(rc2msEncrypt, encryptor, 
            CryptoStreamMode.Write);

            // Convert the data to a byte array.
            toEncrypt = textConverter.GetBytes(instr);

            //Write all data to the crypto stream and flush it.
            rc2csEncrypt.Write(toEncrypt, 0, toEncrypt.Length);
            rc2csEncrypt.FlushFinalBlock();

            //Get encrypted array of bytes.
            encrypted = rc2msEncrypt.ToArray();

            // display encrypted string in base64
            Console.WriteLine("");
            //Convert encrypted to base64
            b64es = Convert.ToBase64String(encrypted);
            Console.WriteLine("Base64 encrypted output : " + (b64es));

            // or
            //Console.WriteLine("Base64 encrypted output : 
            // " + Convert.ToBase64String(encrypted));
                                
            // This is where the encrypted data would be transmitted to a recipient
            // who already knows your secret key. Optionally, you ca
            // also encrypt your secret key using a public key algorithm
            // and pass it to the message recipient along with the RC2
            // encrypted message. Base64 conversion of the encrypted string is useful 
            // for transmission using email and so on.
             
            // Get a decryptor that uses the same key and IV as the encryptor.
            ICryptoTransform decryptor = rc2Crypto.CreateDecryptor(mykey, iv);
             
            // Convert base64 encrypted string to encrypted byte array
            es = Convert.FromBase64String(b64es);
             
            // Now decrypt the previously encrypted message using the decryptor
            // obtained in the above step.
            // or decrypt a encrypted base64 string
            MemoryStream rc2msDecrypt = new MemoryStream(es);
            CryptoStream rc2csDecrypt = new CryptoStream(rc2msDecrypt, decryptor, 
            CryptoStreamMode.Read);
            fromEncrypt = new byte[es.Length];
              
            //Read the data out of the crypto stream.
            rc2csDecrypt.Read(fromEncrypt, 0, fromEncrypt.Length);
             
            //Convert the byte array back into a string.
            decstr = textConverter.GetString(fromEncrypt);
              
            //Display the input string (instr) data and the decrypted data.
            Console.WriteLine("");
            Console.WriteLine("Input String:   {0}", instr);
            Console.WriteLine("Decrypted String: {0}", decstr);
            Console.WriteLine("\n");
              
            // tick counter in Milliseconds
            long EndTickValue = Environment.TickCount;
            long FinalTickValue = (EndTickValue - StartTickValue);
              
            // Display elapsed time
            Console.WriteLine("Elapsed Tick count {0}", + FinalTickValue + " ms");
         }
         catch (Exception e)
         {
              Console.WriteLine("Error : " + e);
         }
      }
   }
}

 

 

Listing 8. Output of rc2crypt2.cs

 

Start of Encryption Test

Effective key size is 128 bits.
Mode is CBC.

Input Key:   ABCDEFGHIJKLMNOP
Input IV:   ABCDEFGH

Base64 encrypted output : AJnpU8i3/ckdMUqRBarZzw==

Input String:   My data string
Decrypted String: My data string


Elapsed Tick count 16 ms

 

Back to top

 


Java program - rc2crypt2

This is the third example of encryption, using Java on Windows XP using SUN JVM 1.5.0_04. This version of JVM was used because it includes the RC2 cryptology methods. This program uses the same key, iv, and data as the OpenSSL scripting example.

 

Listing 9. rc2crypt2.java

 

package sample;
import javax.crypto.*;
import javax.crypto.spec.*;
import sun.misc.*;
/*
 * @author nikk
*/
class rc2crypt2 {
   public static void main(String args[]) {

      String instr = "My data string";
      String b64es;
      String decstr;
      byte[] encrypted;
      byte[] toEncrypt;
      byte[] fromEncrypt;
      byte[] es;
      // Create a new 128 bit key. 
      byte[] mykey = { 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 
      0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50 };
      // Create a new 64 bit initialization vector
      byte[] iv = { 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48 };
      // or
      // byte[] mykey = "ABCDEFGHIJKLMNOP".getBytes();
      // byte[] iv = "ABCDEFGH".getBytes();
      try {
         // timer counter
         long StartTime = System.currentTimeMillis();
         System.out.println("Start of Encryption Test");
         
         // encrypt
         //  Constructs a secret key from mykey using RC2 algorithm
         SecretKeySpec key = new SecretKeySpec(mykey, "RC2");
         
         // Constructs a parameter set for RC2 from the given effective key size 
         // (in bits) and IV.
         RC2ParameterSpec rc2Spec = new RC2ParameterSpec(128, iv);
            
         // Generates a Cipher object that implements the specified transformation.
         // *** Very time expensive call ***
         // for increase in speed, create object early
         Cipher cipher = Cipher.getInstance("RC2/CBC/PKCS5Padding");
            
         //
         long CipherTime = System.currentTimeMillis();
         long Test1Time = (CipherTime - StartTime);
         System.out.println("Cost of cypher is " + Test1Time + " ms");
            
         // Initializes this cipher with a key and a set of algorithm parameters.
         // *** time expensive call *** 
         cipher.init(Cipher.ENCRYPT_MODE, key, rc2Spec, null);
            
         long initTime = System.currentTimeMillis();
         long Test2Time = (initTime - CipherTime);
         System.out.println("Cost of init is " + Test2Time + " ms");
            
         // Get encrypted array of bytes.
         toEncrypt = instr.getBytes();
            
         // Encrypts  byte data in a single-part operation, or finishes a 
         // multiple-part operation
         encrypted = cipher.doFinal(toEncrypt);
            
         // Get the Key size in bits
         int kbit = rc2Spec.getEffectiveKeyBits();
         System.out.println("Effective key size is " + kbit + " bits.\n");
            
         // get the cipher algorithm
         String alg = cipher.getAlgorithm();
         System.out.println("Algorithm " + alg);
            
         // get the Key
         System.out.println("Input Key : " + new String(key.getEncoded()));
            
         // get the IV
         System.out.println("Input IV : " + new String(cipher.getIV()) + "\n");
            
         // Base 64 Encode the encrypted string
         b64es = new BASE64Encoder().encodeBuffer(encrypted);
         System.out.println("Base64 encrypted output : " + b64es);
            
         // decrypt
         // Convert base64 encrypted string to encrypted byte array 
         es = new BASE64Decoder().decodeBuffer(b64es);

         // Initializes this cipher with a key and a set of algorithm parameters.
         // ** dcipher.init(Cipher.DECRYPT_MODE, key, rc2Spec, null);
         cipher.init(Cipher.DECRYPT_MODE, key, rc2Spec, null);
            
         //decrypt byte array
         // ** fromEncrypt = dcipher.doFinal(es);
         fromEncrypt = cipher.doFinal(es);
            
         // convert byte array into string
         decstr = new String(fromEncrypt);
         System.out.println("Input string : " + instr);
         System.out.println("Output string : " + decstr);
            
         // System.out.println("Output string : " + new String(fromEncrypt));
         long EndTime = System.currentTimeMillis();
         long TotalTime = (EndTime - StartTime);
         System.out.println("Cost of encrypting 8 characters is " + TotalTime + " ms");
      } catch (Exception e) {
         System.out.println("Error : " + e);
      }
   }
}

 

 

Listing 10. Output of rc2crypt2.java

 

Start of Encryption Test
Cost of cypher is 407 ms
Cost of init is 62 ms
Effective key size is 128 bits.

Algorithm RC2/CBC/PKCS5Padding
Input Key : ABCDEFGHIJKLMNOP
Input IV : ABCDEFGH

Base64 encrypted output : AJnpU8i3/ckdMUqRBarZzw==

Input string : My data string
Output string : My data string
Cost of encrypting 8 characters is 469 ms
Back to top

 

 


U2 BASIC

This is the fourth example of encryption, using the UniData 6.1.x, 7.1.X, or Universe 10.1.X database. The important thing to note is at the time this document was written, only a pre-release version of the U2 BASIC encrypt API was used. Current versions WILL NOT produce the output or have the syntax as used here. Check the latest U2 Readme for information on eCase 8088 to confirm that you can produce the correct results. After the BASIC example, there is a workaround BASIC example that you can use until issue 8088 has been implemented into the U2 databases.

 

Table 1. Encrypt Syntax

 

Paramater Description
algorithm A string containing the cipher name.
action 1: Encrypt

2: Base64 encode after encryption

3: Decrypt

4: Base64 decode before encryption

5: Encrypt and then to one-line base64

6: One-line base64 decode then decrypt
data Data or the name of the file containing the data to be processed.
dataLoc 1: Data in a string

2: Data in a file
key The actual key (password) or file name containing the key.
keyLoc 1: Key in data

2: Key in file
keyAction 1 KEY_ACTUAL Use actual key (old behavior, U2-self-contained)

2 KEY_DERIVE_MD5 (old behavior, U2-self-contained)

3 KEY_ACTUAL_OPENSSL (new behavior, U2-OpenSSL-compatible)

4 KEY_DERIVE_MD5 (new behavior, as all the following ones, U2-OpenSSL-compatible)

5 KEY_DERIVE_SHA1 (new)

6 KEY_DERIVE_MD2 (new)

7 KEY_DERIVE_MDC2 (new)

8 KEY_DERIVE_MD160 (new)

9 KEY_DERIVE_SHA (new)
Salt A string containing the Salt value.
IV A string containing IV(Hexadecimal representation).
result The result buffer or the name of the file storing the result.
resultLoc 1 - Result in a string

2 - Result in a file

 

 

 

Table 2. Status of each return code

 

Return Code Status
0 Success
1 Invalid cipher
2 Invalid parameters (location/action value is out of range, so on)
3 The data cannot be read
4 The key cannot be derived
5 Base 64 encoding/decoding error
6 Encryption/decryption error

Note: Openssl enc has a -md option, followed by md5 (default), md2, sha1, and sha. The -md option is not supported by OpenSSL 0.9.6e. Thus for UV10.1, if you use KEYACTION 3 - 5, you won't be able to decrypt with OpenSSL.

U2 BASIC program - RC2CRYPT

 

Listing 11. RC2CRYPT

 

*
* written by Nik Kesic
*
A=protocolLogging("rc2crypt.log", "ON", "10")   ; * Turn on logging
RESULT=""
ALGORITHM="rc2-cbc"                         ; * 128 bit rc2 algorithm in CBC mode
MYKEY="4142434445464748494A4B4C4D4E4F50"                   ; * HEX - Actual Key
IV="4142434445464748"                           ; * HEX - Initialization Vector
INSTR="My data string"                          ; * Data String
DATALOC=1                                   ; * Data in String
KEYLOC=1                                ; * Key in String
ACTION=2                                ; * Base64 encode after encryption
KEYACTION=3                                 ; * KEY_ACTUAL_OPENSSL
SALT=""                                         ; * SALT not used
RESULTLOC=1                                 ; * Result in String RESULT
PRINT "Start of Encryption Test"
CRT
PRINT "Effective key size is 128 bits."
PRINT "Algorithm ":ALGORITHM
PRINT "Input Key : ":MYKEY
PRINT "Input IV : ":IV
*
* Call to ENCRYPT function - 0 = good response
*
RETURN.CODE=ENCRYPT(ALGORITHM,ACTION,INSTR,DATALOC,MYKEY,KEYLOC,KEYACTION,SALT,IV,
RESULT,RESULTLOC)
IF RETURN.CODE <> 0 THEN 
  CRT "Error in Encrypt : "
  STOP
END 
CRT
PRINT "Base64 encrypted output : ":RESULT
*
ACTION="4"                              ; * Base64 decode before encryption
CRT "Input String : ":INSTR
*
* Call to DECRYPT function - 0 = good response\
*
RETURN.CODE=ENCRYPT(ALGORITHM,ACTION,RESULT,DATALOC,MYKEY,KEYLOC,KEYACTION,SALT,IV,
DECRESULT,RESULTLOC)
IF RETURN.CODE <> 0 THEN 
  CRT "Error in Decrypt : "
  STOP
END
CRT "Decrypted String : ":DECRESULT             ; * Output of decrypted string
FinalTime=SYSTEM(9)               ; * Time program ran in milliseconds
PRINT "Cost of encrypting 8 characters is ":FinalTime:" ms"
A=protocolLogging("", "OFF", "")            ; * Turn on logging
END

 

 

Listing 12. Output of U2 BASIC example

 

Start of Encryption Test

Effective key size is 128 bits.
Algorithm rc2-cbc
Input Key : 4142434445464748494A4B4C4D4E4F50
Input IV : 4142434445464748

Base64 encrypted output : AJnpU8i3/ckdMUqRBarZzw==

Input String : My data string
Decrypted String : My data string
Cost of encrypting 8 characters is 10 ms

 

Back to top

 


Workaround BASIC example

The workaround example was created to overcome OpenSSL compatibility issues until the U2 engineering issue 8088 has been released. A point to note is the intentional issue of a linefeed that the echo command introduced. On UNIX systems, this would not be a problem, but on Windows, this causes the encrypted string to look different and add a linefeed. Even the decrypted string has the linefeed. You must always consider the environment having an impact on your data and decide how to handle it. Another point to note is the cost of the workaround in time.

 

Listing 13. BASIC / script example

 

*
* written by Nik Kesic
* workaround for OPENSSL compatible encrypt until issue 8088 is resolved
*
IV="4142434445464748"
MYKEY="4142434445464748494A4B4C4D4E4F50"
ALGORITHM=" -rc2"
INSTR="My data string"
PRINT "Start of Encryption Test"
CRT
PRINT "Effective key size is 128 bits."
PRINT "Algorithm ":ALGORITHM
PRINT "Input Key : ":MYKEY
PRINT "Input IV : ":IV
*
comm="echo ":INSTR:"|openssl enc -nosalt -iv ":IV:ALGORITHM:" 
-K ":MYKEY:" -a -out mydata.enc"
* PRINT comm
*
PCPERFORM "type mydata.enc" CAPTURING RESULT
CRT
PRINT "Base64 encrypted output : ":RESULT
PCPERFORM comm
*
* Universe
* EXECUTE comm
*
CRT "Input String : ":INSTR
dcomm="openssl enc -d -nosalt -iv ":IV:ALGORITHM:" -K ":MYKEY:" -a -in mydata.enc"
PCPERFORM dcomm CAPTURING DECRESULT
CRT "Decrypted String : ":DECRESULT
FinalTime=SYSTEM(9)                  ; * Time program ran in milli seconds
PRINT "Cost of encrypting 8 characters is ":FinalTime:" ms"
END

 

 

Listing 14. Output of workaround

 

Start of Encryption Test

Effective key size is 128 bits.
Algorithm  -rc2
Input Key : 4142434445464748494A4B4C4D4E4F50
Input IV : 4142434445464748

Base64 encrypted output : AJnpU8i3/cml4YH2PsT2k4tspzJ5i9hC
Input String : My data string
Decrypted String : My data string
Cost of encrypting 8 characters is 26 ms
Back to top

 

 


What is the future for U2 data encryption?

The Rocket U2 Research and Development team is finalizing the architectural design for robust and flexible database level encryption at the field and/or record level with consideration for performance, index handling and encryption key management. This functionality will roll out in the next major releases of the databases (UniVerse 10.2 and UniData 7.2). A key component of security is to ensure that the database and its applications are highly available and easily recoverable in case of a system failure.

 

Back to top

Summary

Encrypting data to protect the owner of that data in an e-commerce world is not without regulation. Law enforcement authorities and national security agencies around the world are concerned that widespread use of encrypted communication will diminish their capability to fight against crime or prevent criminal and terrorist activities. Your audience location may enforce a lesser encryption algorithm that what is recommended. But whatever your needs are, hopefully the U2 encryption function will offer you the mechanism to protect data sufficiently from the elements that frequently are news headlines.

Resources

Learn

 

Get products and technologies

About the author

Nik Kesic photo

Nik Kesic works for the Rocket Software U2 Advanced Technical Support group in Denver Colorado. Nik provides consultancy, level 3 support, and training and has published articles on Web enablement using RedBack, Sockets, XML, SOAP, SSL, and Encryption.

 

 

Document Actions