Encryption

AES Encryption

Encryption using an AES Key requires the following parameters to be set:

  • Alg: Same as the key type: AES
  • Mode: One of the supported values: ECB, CBC, CBCNOPAD, CFB, CTR, OFB, GCM, CCM, KW, KWP
  • IV: Initialization Vector can be passed when Mode is one of the values: CBC, CBCNOPAD, CFB, CTR, OFB, GCM, CCM. If IV is not passed, then Fortanix DSM will generate a random IV for the operation and return in the response. One should note this IV for decryption purposes later.
  • Tag Len: For mode GCM and CCM, tag length needs to be passed.
  • AD: For mode GCM and CCM, Authentication Data needs to be passed.

RSA Encryption

Encryption using an RSA Key requires the following parameters to be set:

  • Alg: Same as the key type: RSA
  • Mode: One of the supported values: PKCS1_V15, OAEP_MGF1_SHA1, OAEP_MGF1_SHA256, OAEP_MGF1_SHA384, OAEP_MGF1_SHA512
NOTE
RSA key cannot encrypt data that is larger than the size of the key. For example, with RSA 1024 key, one can encrypt data not larger than 1024 bits.

C++

>string encrypt(CK_FUNCTION_LIST_PTR p11, CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey, string plain) {
CK_RV rv;
CK_BYTE *iv;
CK_ULONG iv_len;
string iv_b64;
CK_BYTE *cipher;
CK_ULONG cipher_len;
string cipher_b64;

iv_len = (CK_ULONG) AES_KEYLENGTH/8;
iv = (CK_BYTE *)malloc(iv_len * sizeof(CK_BYTE));
CK_MECHANISM mechanism = {
CKM_AES_CBC_PAD, iv, iv_len
};
Base64::Encode(string((char *)iv, iv_len), &iv_b64);

rv = p11->C_EncryptInit(hSession, &mechanism, hKey);
if (rv == CKR_OK) {
rv = p11->C_Encrypt(hSession, (CK_BYTE_PTR) plain.c_str(), plain.length(), NULL, &cipher_len);
if (rv == CKR_OK) {
cipher = (CK_BYTE *)malloc(cipher_len * sizeof(CK_BYTE));
rv = p11->C_Encrypt(hSession, (CK_BYTE_PTR) plain.c_str(), plain.length(), cipher, &cipher_len);
}
}
if (rv != CKR_OK) {
cout << "Encryption failed. Error code = " << rv << endl;
return string();
}
Base64::Encode(string((char *)cipher, cipher_len), &cipher_b64);
return iv_b64 + ":" + cipher_b64;
}

C#

public void encrypt() {
    EncryptRequest encryptRequest = new EncryptRequest(Alg: ObjectType.AES, Mode: CryptMode.CBC, Plain: Encoding.ASCII.GetBytes("Hello World"));
    EncryptionAndDecryptionApi encryptionAndDecryptionApi = new EncryptionAndDecryptionApi();
    EncryptResponse encResp = encryptionAndDecryptionApi.Encrypt(kid, encryptRequest);
}

Go

//AES Encryption
data := byte[]("Hello World!")
keyId := <Key UUID>
encryptReq := sdkms.EncryptRequest{
            Plain: byte[]("Hello World!"),
            Alg: sdkms.AlgorithmAes,
            Key: sdkms.SobjectById(keyId),
            Mode: sdkms.CryptModeSymmetric(sdkms.CipherModeCbc),
}
encryptResp, err := client.Encrypt(ctx, encryptReq)
encryptResp.Cipher //encrypted data as bytes
encryptResp.Iv //Initialization vector

//RSA Encryption
padding := sdkms.RsaEncryptionPaddingOAEPMGF1(
sdkms.DigestAlgorithmSha1)
encryptReq := sdkms.EncryptRequest{
            Plain: byte[]("Hello World!"),
            Alg: sdkms.AlgorithmRsa,
            Key: sdkms.SobjectById(<Key UUID>),
            Mode: sdkms.CryptModeRSA(padding),
}
encryptResp, err := client.Encrypt(ctx, encryptReq)
encryptResp.Cipher //encrypted data as bytes
encryptResp.Iv //Initialization vector

Java

//AES Encryption
String data = "Hello World!";
byte[] plain = data.getBytes();
EncryptRequest encryptRequest = new EncryptRequest();
encryptRequest
       .alg(ObjectType.AES)
       .plain(plain)
       .mode(CryptMode.CBC);
EncryptResponse encryptResponse = encryptionAndDecryptionApi.encrypt(<Key UUID>, encryptRequest);
encryptResponse.cipher //encrypted data in bytes[]
encryptResponse.iv //Initialization vector

//RSA Encryption
String data = "Hello World!";
byte[] plain = data.getBytes();
EncryptRequest encryptRequest = new EncryptRequest();
encryptRequest
       .alg(ObjectType.RSA)
       .plain(plain)
       .mode(CryptMode.OAEP_MGF1_SHA1);
EncryptResponse encryptResponse = encryptionAndDecryptionApi.encrypt(<Key UUID>, encryptRequest);
encryptResponse.cipher //encrypted data in bytes[]

Python

#AES Encryption
api_instance = sdkms.v1.EncryptionAndDecryptionApi(api_client=client)
data = "Hello World!"
request = sdkms.v1.EncryptRequest(
           alg=ObjectType.AES,
           plain= bytearray (data),
           mode=CipherMode.CBC)
encryption_response = api_instance.encrypt(<Key UUID>, request)
encryption_response.cipher #encrypted data in bytearray
encryption_response.iv #Initialization vector

#RSA Encryption
api_instance = sdkms.v1.EncryptionAndDecryptionApi(api_client=client)
data = "Hello World!"
request = sdkms.v1.EncryptRequest(
           alg=ObjectType.RSA,
           plain= bytearray (data),
           mode=CipherMode.OAEP_MGF1_SHA1)
encryption_response = api_instance.encrypt(<Key UUID>, request)
encryption_response.cipher #encrypted data in bytearray

PHP

#AES Encryption
public function encrypt() {
    $cryptMode = new Swagger\Client\Model\CryptMode();
    $encryptionRequestBody = array('alg' => $objType::AES, 'mode' => $cryptMode::CBC, 'plain' => $plain);
    $encryptionRequest = new Swagger\Client\Model\EncryptRequest($encryptionRequestBody);
    $encryptionAndDecryptionApi = new Swagger\Client\Api\EncryptionAndDecryptionApi($client);
    $encryptionResponse = $encryptionAndDecryptionApi->encrypt($securityObjectResponse["kid"], $encryptionRequest);
}

Javascript

//AES Encryption
var encryptCallback = function(error, data, response) {
    if (error) {
        console.error("Error: " + JSON.stringify(response));
    } else {
        console.log('Data encrypted successfully. result: ' + JSON.stringify(data));
    }
};

var encryptApi = new FortanixSdkmsRestApi.EncryptionAndDecryptionApi()
var plain = btoa("Hello World!")
var encryptRequest = FortanixSdkmsRestApi.EncryptRequest.constructFromObject({"alg" :"AES", "plain": plain, "mode": "CBC"})
encryptApi.encrypt(data["kid"], encryptRequest, encryptCallback)

REST API using curl

 #AES Encryption
 $ echo "Hello World!" | base64
 SGVsbG8gV29ybGQhCg==
 $ curl <Endpoint URL>/crypto/v1/encrypt -H 'Authorization: Bearer YhXwwa-6C...ig5g' -d '{"key": {"kid": "Key-UUID"}, "alg": "AES", "mode": "CBC", "plain": "SGVsbG8gV29ybGQhCg=="}'
 
 #RSA Encryption
 $ echo "Hello World!" | base64
 SGVsbG8gV29ybGQhCg==
 $ curl <Endpoint URL>/crypto/v1/encrypt -H 'Authorization: Bearer YhXwwa-6C...ig5g' -d '{"key": {"kid": "Key-UUID"}, "alg": "RSA", "mode": "OAEP_MGF1_SHA1", "plain": "SGVsbG8gV29ybGQhCg=="}' 

{"cipher": " YiBmaHViIGNpdXJl…ZyB1eXZpZyB2ZQoK"}
Was this article helpful?
1 out of 1 found this helpful