public class EncryptAndDecryptHelper {
public static String encriptString(Blob key, String data){
try{
Blob bdata = Blob.valueOf(data);
Blob encrypted = Crypto.encryptWithManagedIV('AES128', key, bdata);
return EncodingUtil.base64Encode(encrypted);
}catch(Exception e){
system.debug('exception'+e.getMessage());
return '';
}
}
public static String decryptString(Blob key, String decryptString){
try{
Blob DecodedEncryptedBlob = EncodingUtil.base64Decode(decryptString);
Blob decryptedB = Crypto.decryptWithManagedIV('AES128',key, DecodedEncryptedBlob);
return decryptedB.toString();
}catch(Exception e){
system.debug('exception'+e.getMessage());
return '';
}
}
}
What is the Apex Crypto Class?
As per the Crypto Class documentation
in the Apex Developer’s Guide, the Apex Crypto class provides a number of cryptographic
functions for creating digests, message authentication codes, and signatures,
as well as functions for encrypting and decrypting information. These functions
allow you to protect the confidentiality of data as well as allow external
systems to verify the integrity of messages and authenticity of the sender.
Scenarios for Using the Apex Crypto Class
The cryptographic
capabilities of the Crypto class is normally used in the following scenarios:
- Confidentiality – the protection of data either at rest or in
transit from unauthorized parties
- Integrity – the data is complete and correct
- Authenticity – proof of the authenticity of the sender or
receiver of the message
Encryption
and Decryption
Consists of functions to
encrypt and decrypt information using AES128, AES192 and AES256 algorithms.
Currently, only symmetric private key encryption using the AES algorithm is
supported. Whilst encryption provides for data protection, it does not
authenticate the sender (non-repudiation) and nor does it guarantee message
integrity.
Creating
Hash Digests
In this scenario, the
input message of any length is converted using a one-way cryptographic hash
function into a compact unique “digest” of fixed length. As the
digest is unique, it can then be used by the receiver to ensure integrity of
the message by comparing the transmitted digest with a digest calculated from
the received message using the same algorithm. Its compact nature also allows
for performance and efficient transmission.
The
Crypto.generateDigest() function generates a one-way hash digest for this
purpose and supports algorithms such as MD5, SHA1, SHA256 and SHA512. As hash
digests are one way, compact representations of the original data, the
resulting digest cannot be “decrypted” back to its original form.
Hash
Based Message Authentication Codes (MAC)
Hash-based MAC functions
generate a compact one-way digest using a cryptographic hash function and then
uses a private key to encrypt the resulting digest. The combination of the an
encrypted hash digest ensures non-repudiation of the message and its sender.
Compared to a hash
digests, HMAC functions use a private key that the sender uses to encrypt the
MAC and receiver to decrypt the MAC. The unencrypted digest can then verify the
message integrity. As the receiver has to decrypt the MAC using the shared
private key, you can verify the authenticity of the message sender.
The Crypto.generateMac()
method supports the HMACMD5, HMACSHA1, HMACSHA256 and HMAC512 algorithms.
Creating
a Digital Signature
Digital signatures
guarantee both integrity and authenticity of the message using an asymmetric
key. The sender generates a message digest (e.g. using SHA1) and encrypts it
using a private key. The receiver then decrypts using a public key and compares
the message digest with a digest generated from the received message.
The Crypto.sign()
function generates a digital signature using the SHA1 algorithm to create the
digest, which is then subsequently encrypted using the RSA algorithm with a
PKCS8 formatted private key.
Supported Standards
The following are the
various supported standards for each of the Crypto class methods.
|
Method
|
Supported Standards
|
Encrypt()
EncryptWithManagedIv()
Decrypt()
DecryptWithManagedIv()
|
AES128, AES192, AES256 for encryption.
PCKS#5 padding and Cipher Block Chaining.
|
generateDigest()
generateMac()
|
MD5, SHA1, SHA256, SHA512
|
|
sign()
|
SHA1 with RSA
|
Discussion and Sample Code
Encryption
The Crypto class provides
the following functions to encrypt and decrypt using the AES algorithm:
- encrypt()
- decrypt()
- encryptWithManagedIV()
- decryptWithManagedIV()
The following
considerations should be noted:
- The AES128, AES192 and AES256 algorithms are supported
- A private key can either be generated externally or via the
Crypto.generateAESKey(Integer size) method. The length of the
private key must match to the specified algorithm.
- The private key should not be hardcoded in the Apex code.
Instead, it should be placed in a protected custom setting.
- The standard AES algorithm is used with a Cipher Mode of Cipher
Block Chaining (CBC) and PKCS#5 padding. Ensure that any applications that you
interact with use the same parameters.(Note that PKCS#5 and PKCS#7 are
compatible.)
- The algorithm requires an initialization vector of 16 bytes (128
bits). Use the encryptWithManagedIV() function to have Salesforce generate the
IV for you in the first 16 bytes of the cipher text.Third party systems that
receive the cipher should extract the IV from the first 16 bits. If third party
systems send the IV in the first 16 bytes of the cipher, then use the
decryptWithManagedIV() method to decrypt.
- If you intend to generate your own initialization vector, then
use the encrypt() and/or decrypt() methods, in which the IV is sent as a
separate argument. Note that the cipher text passed to the decrypt() method
should not contain the IV in the first 16 bytes and neither does the encrypt()
function place the IV in the first 16 bytes of the generated cipher.
–Ranjith T [03/09/2019]
