Apex Crypto And Decrypto Class

public class EncryptAndDecryptHelper {
    
    public static String encriptString(Blob key, String data){
        try{
            Blob bdata = Blob.valueOf(data);
            Blob encrypted = Crypto.encryptWithManagedIV('AES128', key, bdata);
            return  EncodingUtil.base64Encode(encrypted); 
        }catch(Exception e){
            system.debug('exception'+e.getMessage());
            return '';
        }
        
    }
    public static String decryptString(Blob key, String decryptString){
        try{
            Blob DecodedEncryptedBlob = EncodingUtil.base64Decode(decryptString);
            Blob decryptedB = Crypto.decryptWithManagedIV('AES128',key, DecodedEncryptedBlob);
            return decryptedB.toString();   
        }catch(Exception e){
            system.debug('exception'+e.getMessage());
            return '';
        }
         
    }
    
}

What is the Apex Crypto Class?

As per the Crypto Class documentation in the Apex Developer’s Guide, the Apex Crypto class provides a number of cryptographic functions for creating digests, message authentication codes, and signatures, as well as functions for encrypting and decrypting information. These functions allow you to protect the confidentiality of data as well as allow external systems to verify the integrity of messages and authenticity of the sender.

Scenarios for Using the Apex Crypto Class

The cryptographic capabilities of the Crypto class is normally used in the following scenarios:

  • Confidentiality – the protection of data either at rest or in transit from unauthorized parties
  • Integrity – the data is complete and correct
  • Authenticity – proof of the authenticity of the sender or receiver of the message

Encryption and Decryption

Consists of functions to encrypt and decrypt information using AES128, AES192 and AES256 algorithms. Currently, only symmetric private key encryption using the AES algorithm is supported. Whilst encryption provides for data protection, it does not authenticate the sender (non-repudiation) and nor does it guarantee message integrity.

Creating Hash Digests

In this scenario, the input message of any length is converted using a one-way cryptographic hash function into a compact unique “digest” of fixed length. As the digest is unique, it can then be used by the receiver to ensure integrity of the message by comparing the transmitted digest with a digest calculated from the received message using the same algorithm. Its compact nature also allows for performance and efficient transmission.

The Crypto.generateDigest() function generates a one-way hash digest for this purpose and supports algorithms such as MD5, SHA1, SHA256 and SHA512. As hash digests are one way, compact representations of the original data, the resulting digest cannot be “decrypted” back to its original form.

Hash Based Message Authentication Codes (MAC)

Hash-based MAC functions generate a compact one-way digest using a cryptographic hash function and then uses a private key to encrypt the resulting digest. The combination of the an encrypted hash digest ensures non-repudiation of the message and its sender.

Compared to a hash digests, HMAC functions use a private key that the sender uses to encrypt the MAC and receiver to decrypt the MAC. The unencrypted digest can then verify the message integrity. As the receiver has to decrypt the MAC using the shared private key, you can verify the authenticity of the message sender.

The Crypto.generateMac() method supports the HMACMD5, HMACSHA1, HMACSHA256 and HMAC512 algorithms.

Creating a Digital Signature

Digital signatures guarantee both integrity and authenticity of the message using an asymmetric key. The sender generates a message digest (e.g. using SHA1) and encrypts it using a private key. The receiver then decrypts using a public key and compares the message digest with a digest generated from the received message.

The Crypto.sign() function generates a digital signature using the SHA1 algorithm to create the digest, which is then subsequently encrypted using the RSA algorithm with a PKCS8 formatted private key.

Supported Standards

The following are the various supported standards for each of the Crypto class methods.

Method Supported Standards
Encrypt()
EncryptWithManagedIv()
Decrypt()
DecryptWithManagedIv()
AES128, AES192, AES256 for encryption. 
PCKS#5 padding and Cipher Block Chaining.
generateDigest()
generateMac()
MD5, SHA1, SHA256, SHA512
sign() SHA1 with RSA

Discussion and Sample Code

Encryption

The Crypto class provides the following functions to encrypt and decrypt using the AES algorithm:

  • encrypt()
  • decrypt()
  • encryptWithManagedIV()
  • decryptWithManagedIV()

The following considerations should be noted:

  • The AES128, AES192 and AES256 algorithms are supported
  • A private key can either be generated externally or via the Crypto.generateAESKey(Integer size) method. The length of the private key must match to the specified algorithm.
  • The private key should not be hardcoded in the Apex code. Instead, it should be placed in a protected custom setting.
  • The standard AES algorithm is used with a Cipher Mode of Cipher Block Chaining (CBC) and PKCS#5 padding. Ensure that any applications that you interact with use the same parameters.(Note that PKCS#5 and PKCS#7 are compatible.)
  • The algorithm requires an initialization vector of 16 bytes (128 bits). Use the encryptWithManagedIV() function to have Salesforce generate the IV for you in the first 16 bytes of the cipher text.Third party systems that receive the cipher should extract the IV from the first 16 bits. If third party systems send the IV in the first 16 bytes of the cipher, then use the decryptWithManagedIV() method to decrypt.
  • If you intend to generate your own initialization vector, then use the encrypt() and/or decrypt() methods, in which the IV is sent as a separate argument. Note that the cipher text passed to the decrypt() method should not contain the IV in the first 16 bytes and neither does the encrypt() function place the IV in the first 16 bytes of the generated cipher.

Ranjith T [03/09/2019]

Leave a Reply

avatar
  Subscribe  
Notify of