6.6.4 MySQL Enterprise Encryption Function Descriptions (original) (raw)

6.6.4 MySQL Enterprise Encryption Function Descriptions

MySQL Enterprise Encryption functions have these general characteristics:

• For arguments of the wrong type or an incorrect number of arguments, each function returns an error.
• If the arguments are not suitable to permit a function to perform the requested operation, it returnsNULL or 0 as appropriate. This occurs, for example, if a function does not support a specified algorithm, a key length is too short or long, or a string expected to be a key string in PEM format is not a valid key. (OpenSSL imposes its own key-length limits, and server administrators can impose additional limits on maximum key length by setting environment variables. SeeSection 6.6.2, “MySQL Enterprise Encryption Usage and Examples”.)
• The underlying SSL library takes care of randomness initialization.

Several of the functions take an encryption algorithm argument. The following table summarizes the supported algorithms by function.

Table 6.37 Supported Algorithms by Function

Note

Although you can create keys using any of the RSA, DSA, or DH encryption algorithms, other functions that take key arguments might accept only certain types of keys. For example,asymmetric_encrypt() andasymmetric_decrypt() accept only RSA keys.

The following descriptions describe the calling sequences for MySQL Enterprise Encryption functions. For additional examples and discussion, seeSection 6.6.2, “MySQL Enterprise Encryption Usage and Examples”.

• asymmetric_decrypt(algorithm,crypt_str,key_str)
  Decrypts an encrypted string using the given algorithm and key string, and returns the resulting plaintext as a binary string. If decryption fails, the result isNULL.
  keystr must be a valid key string in PEM format. For successful decryption, it must be the public or private key string corresponding to the private or public key string used withasymmetric_encrypt() to produce the encrypted string. algorithm indicates the encryption algorithm used to create the key.
  Supported algorithm values:'RSA'
  For a usage example, see the description ofasymmetric_encrypt().
• asymmetric_derive(pub_key_str,priv_key_str)
  Derives a symmetric key using the private key of one party and the public key of another, and returns the resulting key as a binary string. If key derivation fails, the result isNULL.
  pubkeystr and_privkeystr_ must be valid key strings in PEM format. They must be created using the DH algorithm.
  Suppose that you have two pairs of public and private keys:

SET @dhp = create_dh_parameters(1024);  
SET @priv1 = create_asymmetric_priv_key('DH', @dhp);  
SET @pub1 = create_asymmetric_pub_key('DH', @priv1);  
SET @priv2 = create_asymmetric_priv_key('DH', @dhp);  
SET @pub2 = create_asymmetric_pub_key('DH', @priv2);  

Suppose further that you use the private key from one pair and the public key from the other pair to create a symmetric key string. Then this symmetric key identity relationship holds:

asymmetric_derive(@pub1, @priv2) = asymmetric_derive(@pub2, @priv1)  

• asymmetric_encrypt(algorithm,str,key_str)
  Encrypts a string using the given algorithm and key string, and returns the resulting ciphertext as a binary string. If encryption fails, the result is NULL.
  The str length cannot be greater than the keystr length − 11, in bytes
  keystr must be a valid key string in PEM format. algorithm indicates the encryption algorithm used to create the key.
  Supported algorithm values:'RSA'
  To encrypt a string, pass a private or public key string toasymmetric_encrypt(). To recover the original unencrypted string, pass the encrypted string to asymmetric_decrypt(), along with the public or private key string correponding to the private or public key string used for encryption.

-- Generate private/public key pair  
SET @priv = create_asymmetric_priv_key('RSA', 1024);  
SET @pub = create_asymmetric_pub_key('RSA', @priv);  
-- Encrypt using private key, decrypt using public key  
SET @ciphertext = asymmetric_encrypt('RSA', 'The quick brown fox', @priv);  
SET @plaintext = asymmetric_decrypt('RSA', @ciphertext, @pub);  
-- Encrypt using public key, decrypt using private key  
SET @ciphertext = asymmetric_encrypt('RSA', 'The quick brown fox', @pub);  
SET @plaintext = asymmetric_decrypt('RSA', @ciphertext, @priv);  

Suppose that:

SET @s = a string to be encrypted  
SET @priv = a valid private RSA key string in PEM format  
SET @pub = the corresponding public RSA key string in PEM format  

Then these identity relationships hold:

asymmetric_decrypt('RSA', asymmetric_encrypt('RSA', @s, @priv), @pub) = @s  
asymmetric_decrypt('RSA', asymmetric_encrypt('RSA', @s, @pub), @priv) = @s  

• asymmetric_sign(algorithm,digest_str,priv_key_str,digest_type)
  Signs a digest string using a private key string, and returns the signature as a binary string. If signing fails, the result is NULL.
  digeststr is the digest string. It can be generated by callingcreate_digest().digesttype indicates the digest algorithm used to generate the digest string.
  privkeystr is the private key string to use for signing the digest string. It must be a valid key string in PEM format.algorithm indicates the encryption algorithm used to create the key.
  Supported algorithm values:'RSA', 'DSA'
  Supported digesttype values:'SHA224', 'SHA256','SHA384', 'SHA512'
  For a usage example, see the description ofasymmetric_verify().
• asymmetric_verify(algorithm,digest_str,sig_str,pub_key_str,digest_type)
  Verifies whether the signature string matches the digest string, and returns 1 or 0 to indicate whether verification succeeded or failed.
  digeststr is the digest string. It can be generated by callingcreate_digest().digesttype indicates the digest algorithm used to generate the digest string.
  sigstr is the signature string. It can be generated by callingasymmetric_sign().
  pubkeystr is the public key string of the signer. It corresponds to the private key passed to asymmetric_sign() to generate the signature string and must be a valid key string in PEM format. algorithm indicates the encryption algorithm used to create the key.
  Supported algorithm values:'RSA', 'DSA'
  Supported digesttype values:'SHA224', 'SHA256','SHA384', 'SHA512'

-- Set the encryption algorithm and digest type  
SET @algo = 'RSA';  
SET @dig_type = 'SHA224';  
-- Create private/public key pair  
SET @priv = create_asymmetric_priv_key(@algo, 1024);  
SET @pub = create_asymmetric_pub_key(@algo, @priv);  
-- Generate digest from string  
SET @dig = create_digest(@dig_type, 'The quick brown fox');  
-- Generate signature for digest and verify signature against digest  
SET @sig = asymmetric_sign(@algo, @dig, @priv, @dig_type);  
SET @verf = asymmetric_verify(@algo, @dig, @sig, @pub, @dig_type);  

• create_asymmetric_priv_key(algorithm, {key_len|dh_secret})
  Creates a private key using the given algorithm and key length or DH secret, and returns the key as a binary string in PEM format. If key generation fails, the result isNULL.
  Supported algorithm values:'RSA', 'DSA','DH'
  Supported keylen values: The minimum key length in bits is 1,024. The maximum key length depends on the algorithm: 16,384 for RSA and 10,000 for DSA. These key-length limits are constraints imposed by OpenSSL. Server administrators can impose additional limits on maximum key length by setting environment variables. SeeSection 6.6.2, “MySQL Enterprise Encryption Usage and Examples”.
  For DH keys, pass a shared DH secret instead of a key length. To create the secret, pass the key length tocreate_dh_parameters().
  This example creates a 2,048-bit DSA private key, then derives a public key from the private key:

SET @priv = create_asymmetric_priv_key('DSA', 2048);  
SET @pub = create_asymmetric_pub_key('DSA', @priv);  

For an example showing DH key generation, see the description of asymmetric_derive().
Some general considerations in choosing key lengths and encryption algorithms:

• The strength of encryption for private and public keys increases with the key size, but the time for key generation increases as well.
• Generation of DH keys takes much longer than RSA or RSA keys.
• Asymmetric encryption functions are slower than symmetric functions. If performance is an important factor and the functions are to be used very frequently, you are better off using symmetric encryption. For example, consider using AES_ENCRYPT() andAES_DECRYPT().
• create_asymmetric_pub_key(algorithm,priv_key_str)
  Derives a public key from the given private key using the given algorithm, and returns the key as a binary string in PEM format. If key derivation fails, the result isNULL.
  privkeystr must be a valid key string in PEM format. algorithm indicates the encryption algorithm used to create the key.
  Supported algorithm values:'RSA', 'DSA','DH'
  For a usage example, see the description ofcreate_asymmetric_priv_key().
• create_dh_parameters(key_len)
  Creates a shared secret for generating a DH private/public key pair and returns a binary string that can be passed tocreate_asymmetric_priv_key(). If secret generation fails, the result is null.
  Supported keylen values: The minimum and maximum key lengths in bits are 1,024 and 10,000. These key-length limits are constraints imposed by OpenSSL. Server administrators can impose additional limits on maximum key length by setting environment variables. SeeSection 6.6.2, “MySQL Enterprise Encryption Usage and Examples”.
  For an example showing how to use the return value for generating symmetric keys, see the description ofasymmetric_derive().

SET @dhp = create_dh_parameters(1024);  

• create_digest(digest_type,str)
  Creates a digest from the given string using the given digest type, and returns the digest as a binary string. If digest generation fails, the result is NULL.
  Supported digesttype values:'SHA224', 'SHA256','SHA384', 'SHA512'

SET @dig = create_digest('SHA512', The quick brown fox');  

The resulting digest string is suitable for use withasymmetric_sign() andasymmetric_verify().