Symmetric key encryption is when the same key is used to encrypt and decrypt data. A view, SymKeyEncrypt.vw, has been created in the SecurityBasics workspace to how symmetric key encryption works.
The top field of the view shows a representation of four rows of random 16-byte hexadecimal data. If the view is closed and reopened the data shown will be different. The key shown was used for the encryption and was also generated randomly.
When the ENCRYPT button is pressed the data is encrypted into the middle field. The encrypted data is called sypher text. The original data was just plain text. The Initialization Vector (IV) field was also filled in. If the IV field is fixed (the ‘Fix’ checkbox is marked), the encrypted output will remain the same regardless of how many times the ENCRYPT button is pushed.
If the IV field is changed at all, and the ENCRYPT button is pushed again, the output will initially change. If the ENCRYPT button is then pressed again the output will not change again.
Normally, this behavior is not desirable when using a fixed IV because if the data remains the same in the first few lines the output will also remain the same in the encrypted output. This is dangerous because if a hacker has enough information from the system, encrypted or not, patterns can be recognized that will lead to the code being broken. Typically, the IV should not be fixed, so that the encrypted data output changes every time the ENCRYPT button is pushed. It is only beneficial to fix the IV when the find equal needs to be found on the encrypted data.
For further demonstration purposes, however, the IV will be fixed. Observe that there are four lines of input and five lines of output, and this is because of padding. The AES block sypher algorithm used encrypts 16 bytes at a time. If there are only 15 bytes available, AES will throw an error unless padding is used. Padding in this case means that ‘01’ will be added internally for the missing bytes.
If a single byte of the fourth line is removed from the input and the ENCRYPT button is pushed, only four lines of encrypted data is outputted instead of five. A single byte was padded. If two bytes are removed from the input, there will still be four lines of output.
Internally, ’02 02’ was added to the data. If the encrypted data is decrypted by pressing the DECRYPT button the original data is shown. If original data has ’02 02’ at the end, the system does not know if it is real or padding, but if there are four complete blocks it will add an entire block of padding (the fifth line). These are typical limitations that need to be kept in mind.
Viewing the code to further understand this, stop the debugger, and click on ‘oSymKeyEncrypte> oSimpleSymKeyEnc’ in the ‘Code Explorer’ on the left to view the encrypt file method.
It contains a lot of variables and does several things, but firstly is creates the cSecureSymmetricKeyEncryptionMethod. It is created dynamically in this instance but does not have to be. piEncryptImplementation is set just as it was with the hashes. Initialize is then sent with a unique key
Send Initialize of hoMethod (&ucaKey).
With hashes, the hash values were automatically be reset and ready for another hash when the finalize method was called. With encryption that is not possible; a new encryptor object needs to be requested, which is always dynamic.
In this example, the IV is set, which is not normal behavior. Normally, that would be skipped. The only portion that is needed at the moment is the Get EncryptChunk of…
Get EncryptChunk can be called multiple times, but make sure every chunk of plain text data is a multiple of the block size. For AES that is 16 bytes.
Decryption is largely the same. A small difference is that a new decryptor is requested, and the IV needs to be provided. Decryption cannot happen without one.
CHALLENGE: Create a new table with two fields; one called plain text and the other sypher text. Make sure there is an index on the sypher text column. Now create an entry view that saves a single string both as plain text and encoded and encrypted as sypher text. Then, add a search field where a plain text string can be entered, and when a button is pressed the string is encrypted and a find equals is done for the sypher text. This skill is needed if data in a database needs to be encrypted. HINT: since a find equals is used a static IV will be needed.