Encrypt your own data with the 4D algorithm

Automatically translated from English

As you may have noticed some time ago, 4D offers you a simple way to encrypt your data. Now, 4D also allows you to use the same algorithm as the one used for data encryption, but this time for your own needs. So now you can encrypt and decrypt any information you want, be it a single field in a table or external files.

Note: To illustrate the new commands presented in this blog post, here’s an HDI containing fake medical analyses and their external PDF reports. In this HDI, the reports are encrypted and you decrypt them to obtain readable documents.

Become stronger

Nowadays, more and more critical data needs to be encrypted to prevent hacking or data leaks. By allowing you to easily encrypt tables, 4D has already answered this main need. But sometimes, you need to encrypt only a field in a table, or external files linked to records such as reports, invoices, or medical analyses. You could already do this using the 4D.CryptoKey class, but asymmetric algorithms are more adapted for information signature purposes. We now offer you the capacity to encrypt your own data or files with a strong AES-256 symmetric algorithm, the same as 4D uses for data and journal encryption.

Behind the curtains

The new Encrypt data BLOB command gets a blob and computes an encrypted blob using parameters as a key pass object and salt.

A key pass object is an object resulting in a New data key command call. You can also use a passphrase directly instead of a key pass object. As 4D uses an AES-type algorithm for encryption, the resulting blob has a size multiple of 16 bytes. So if the original blob size is not a multiple of 16, the command will add terminal null bytes to complement it.

For the reverse operation, the new Decrypt data BLOB command gets an encrypted blob and computes a decrypted blob using the same parameters. Be careful though, if the parameters don’t have the exact same values as those used when encrypting, the decrypted blob won’t be the same as the original one. In fact, it’s the expected behavior of cryptography!

Salt is not so bad

Using salt is a way to make sure the original data can’t be retrieved from encrypted data. One way of hacking data is through frequency analysis, that is, comparing the encrypted information with very much identical original information. When you encrypt the same information with the same passphrase but different salts, the fingerprint (encrypted information) will be completely different.

The salt is more relevant as its values are multiple. For example, when you encrypt a field or a file linked to a record, you can easily use the primary key as the salt. This way, even if the original field or file content is the same for several records, the encrypted content will be completely different.

FILE ENCRYPTION SAMPLE

To easily handle file encryption and decryption with original size recovery, you can use the following methods.

These methods manage the 16 bytes complement by storing the original file size in the encrypted file itself so that it can be easily retrieved during decryption.

//encryptFile
#DECLARE($originalFile : 4D.File; $passPhrase : Text; $salt : Integer; $encryptedFile : 4D.File)->$result : Boolean
// AES-type encryption : as resulting blob size is a multiple of 16 bytes, some final null bytes may be added.
var $fileContent; $blobToEncrypt; $blobEncrypted : Blob
var $contentLength; $offset : Integer
$fileContent:=$originalFile.getContent()
// Store original file length at the beginning of the blob to encrypt
$contentLength:=BLOB size($fileContent)
VARIABLE TO BLOB($contentLength; $blobToEncrypt; $offset)
COPY BLOB($fileContent; $blobToEncrypt; 0; $offset; $contentLength)
$result:=Encrypt data BLOB($blobToEncrypt; $passPhrase; $salt; $blobEncrypted)
If ($result)
 $encryptedFile.setContent($blobEncrypted)
End if

//decryptFile
#DECLARE($encryptedFile : 4D.File; $passPhrase : Text; $salt : Integer; $decryptedFile : 4D.File)->$result : Boolean
// AES-type decryption : as encrypted blob size is a multiple of 16 bytes, some final null bytes may have been added.
var $fileContent; $blobToDecrypt; $blobDecrypted : Blob
var $contentLength; $offset : Integer
$blobToDecrypt:=$encryptedFile.getContent()
$result:=Decrypt data BLOB($blobToDecrypt; $passPhrase; $salt; $blobDecrypted)
If ($result)
 // Retrieve original file length at the beginning of the decrypted blob
 BLOB TO VARIABLE($blobDecrypted; $contentLength; $offset)
 COPY BLOB($blobDecrypted; $fileContent; $offset; 0; $contentLength)
 $decryptedFile.setContent($fileContent)
End if

USE CASE

To illustrate how you can use these new commands, here’s an HDI containing some fake medical analyses and their external PDF reports. In this HDI, the reports are encrypted and you decrypt them to obtain readable documents.

HDI: BLOB encryption

Now, it’s up to you to encrypt and decrypt data the way 4D does!

Avatar

• Product Owner •

Damien Fuzeau has joined the 4D Product team in February 2019. As a Product Owner, he is in charge of writing user stories, then translating them to functional specifications. His job also entails making sure that the feature implementations delivered are meeting the customer needs.

Damien is graduated from the University of Nantes in software engineering. He spent more than 23 years in its former company, first as developer (discovering 4D in 1997), and later as engineering manager and software architect. This company is a 4D OEM partner and deployed 4D based business softwares for thousands users, on hundreds servers. So, Damien is used to 4D development and deployment in a multi-language context.