As you may have noticed some time ago, 4D offers you a simple way to encrypt your data. Now, 4D also allows you to use the same algorithm as the one used for data encryption, but this time for your own needs. So now you can encrypt and decrypt any information you want, be it a single field in a table or external files.
Note: To illustrate the new commands presented in this blog post, here’s an HDI containing fake medical analyses and their external PDF reports. In this HDI, the reports are encrypted and you decrypt them to obtain readable documents.
Nowadays, more and more critical data needs to be encrypted to prevent hacking or data leaks. By allowing you to easily encrypt tables, 4D has already answered this main need. But sometimes, you need to encrypt only a field in a table, or external files linked to records such as reports, invoices, or medical analyses. You could already do this using the 4D.CryptoKey class, but asymmetric algorithms are more adapted for information signature purposes. We now offer you the capacity to encrypt your own data or files with a strong AES-256 symmetric algorithm, the same as 4D uses for data and journal encryption.
Behind the curtains
The new Encrypt data BLOB command gets a blob and computes an encrypted blob using parameters as a key pass object and salt.
A key pass object is an object resulting in a New data key command call. You can also use a passphrase directly instead of a key pass object. As 4D uses an AES-type algorithm for encryption, the resulting blob has a size multiple of 16 bytes. So if the original blob size is not a multiple of 16, the command will add terminal null bytes to complement it.
For the reverse operation, the new Decrypt data BLOB command gets an encrypted blob and computes a decrypted blob using the same parameters. Be careful though, if the parameters don’t have the exact same values as those used when encrypting, the decrypted blob won’t be the same as the original one. In fact, it’s the expected behavior of cryptography!
Salt is not so bad
Using salt is a way to make sure the original data can’t be retrieved from encrypted data. One way of hacking data is through frequency analysis, that is, comparing the encrypted information with very much identical original information. When you encrypt the same information with the same passphrase but different salts, the fingerprint (encrypted information) will be completely different.
The salt is more relevant as its values are multiple. For example, when you encrypt a field or a file linked to a record, you can easily use the primary key as the salt. This way, even if the original field or file content is the same for several records, the encrypted content will be completely different.
FILE ENCRYPTION SAMPLE
To easily handle file encryption and decryption with original size recovery, you can use the following methods.
These methods manage the 16 bytes complement by storing the original file size in the encrypted file itself so that it can be easily retrieved during decryption.
#DECLARE($originalFile : 4D.File; $passPhrase : Text; $salt : Integer; $encryptedFile : 4D.File)->$result : Boolean
// AES-type encryption : as resulting blob size is a multiple of 16 bytes, some final null bytes may be added.
var $fileContent; $blobToEncrypt; $blobEncrypted : Blob
var $contentLength; $offset : Integer
// Store original file length at the beginning of the blob to encrypt
VARIABLE TO BLOB($contentLength; $blobToEncrypt; $offset)
COPY BLOB($fileContent; $blobToEncrypt; 0; $offset; $contentLength)
$result:=Encrypt data BLOB($blobToEncrypt; $passPhrase; $salt; $blobEncrypted)
#DECLARE($encryptedFile : 4D.File; $passPhrase : Text; $salt : Integer; $decryptedFile : 4D.File)->$result : Boolean
// AES-type decryption : as encrypted blob size is a multiple of 16 bytes, some final null bytes may have been added.
var $fileContent; $blobToDecrypt; $blobDecrypted : Blob
var $contentLength; $offset : Integer
$result:=Decrypt data BLOB($blobToDecrypt; $passPhrase; $salt; $blobDecrypted)
// Retrieve original file length at the beginning of the decrypted blob
BLOB TO VARIABLE($blobDecrypted; $contentLength; $offset)
COPY BLOB($blobDecrypted; $fileContent; $offset; 0; $contentLength)
To illustrate how you can use these new commands, here’s an HDI containing some fake medical analyses and their external PDF reports. In this HDI, the reports are encrypted and you decrypt them to obtain readable documents.
Now, it’s up to you to encrypt and decrypt data the way 4D does!