Decryption is the process of getting back the original data from the cipher-text using a decryption key.

Note: Only asymmetric (public/private key pair) algorithms can be used with this method, since only those keys can be added to a keystore.

Decryption is the process of getting back the original data from the cipher-text using a decryption key.

Note: Only asymmetric (public/private key pair) algorithms can be used with this method, since only those keys can be added to a keystore.

Typical usage:

 var base64Msg : String = "some_encoded_encrypted_message";
 var charset : String = "UTF8";  // or "windows-1252", etc.

 var encryptedBytes : Bytes = Encoding.fromBase64(base64Msg);
 var messageBytes : Bytes = Cipher.decryptBytes(encryptedBytes, key, transformation, salt, iterations);
 var message : String = messageBytes.toString(charset);
 

Typical usage:

 var base64Msg : String = "some_encoded_encrypted_message";
 var charset : String = "UTF8";  // or "windows-1252", etc.

 var encryptedBytes : Bytes = Encoding.fromBase64(base64Msg);
 var messageBytes : Bytes = Cipher.decryptBytes(encryptedBytes, key, transformation, salt, iterations);
 var message : String = messageBytes.toString(charset);
 

Encryption is the process of converting normal data or plain text to something incomprehensible or cipher-text by applying transformations, which are the operation (or set of operations) to be performed on given input to produce some output. A transformation always includes the name of a cryptographic algorithm (for example, RSA) and may be followed by a mode and padding scheme. The supported algorithms are listed in the parameter description below.

The cryptographic algorithms can be partitioned into symmetric and asymmetric (or public key/private key).

Symmetric or "secret key" algorithms use the same key to encrypt and to decrypt the data. Symmetric algorithms are what most people think of as codes: using a well-known algorithm and a secret key to encode information, which can be decoded using the same algorithm and the same key. The algorithm is not secret, the secrecy is inherent to guarding the key. A significant problem with symmetric ciphers is that it is difficult to transfer the keys themselves securely. Symmetric algorithms include password-based algorithms.

AES with key length of 256 bits is the preferred choice for symmetric encryption going forward. Please consider switching to it if you are using any other scheme or if using AES with a shorter key length. The rest of the symmetric algorithms will be deprecated in the future.

Asymmetric or "public key" cryptography uses a public/private key pair, and then publishes the public key. Only the holder of the private key will be able to decrypt. The public key and private key together are also called a "key pair". Data encrypted with one key can only be decrypted using the other key from the pair, and it is not possible to deduce one key from the other. This helps to solve the key distribution problem since it is possible to publicise one of the keys widely (the "public key") and keep the other a closely guarded secret (the "private key"). Many partners can then send data encrypted with the public key, but only the holder of the corresponding private key can decrypt it.

Key pairs for asymmetric ciphers can be generated with an arbitrary tool. One of the most popular options is the open source tool OpenSSL. OpenSSL has a command-line syntax and is available on major platforms.

The following steps are involved in creating an RSA key pair:

1. openssl genrsa -out rsaprivatekey.pem 2048

2. openssl rsa -in rsaprivatekey.pem -out publickey.pem -pubout

3. openssl pkcs8 -topk8 -in rsaprivatekey.pem -out privatekey.pem -nocrypt

1. Generates an RSA private key with keylength of 2048 bits. Store this key in a safe place.

2. Generates a public key from the private key. You use the public key to encrypt messages with Cipher.encrypt. OpenSSL saves the key PEM-encoded; this means the key is saved with a base64 encoding. After you removed the header and footer lines you can pass the content directly to the API method.

3. Generates a private key in PKCS#8 format. You use that key to decrypt messages with Cipher.decrypt. OpenSSL saves the key PEM-encoded; this means the key is saved with a base64 encoding. After you removed the header and footer lines you can pass the content directly to the API method.

Modes

The following modes of operation are block cipher operations that are used with some algorithms.

• "NONE" no mode
• "CBC" Cipher Block Chaining (defined in FIPS PUB 81)
• "CTR" Counter mode or Segmented Integer Counter mode (defined in FIPS PUB 81)
• "CTS" CipherText Streaming mode
• "CFB" Cipher Feedback Mode, can be referred to with key length referenced as "CFB8","CFB16","CFB24".."CFB64" (defined in FIPS PUB 81)
• "ECB" Electronic Cook book as defined in: The National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) PUB 81, "DES Modes of Operation," U.S. Department of Commerce, Dec 1980.
• "OFB" Output Feedback Mode, can be referred to with key length referenced as "OFB8","OFB16","OFB24".."OFB64" (defined in FIPS PUB 81)
• "PCBC" Propagating Cipher Block Chaining (defined in Kerberos V4)

Paddings

• "NoPadding": No padding.
• OAEPWith<digest>And<mgf>Padding:

  Optimal Asymmetric Encryption Padding scheme defined in PKCS#1, where <digest> should be replaced by the message digest and <mgf> by the mask generation function.

  Examples: OAEPWITHSHA-256ANDMGF1PADDING, OAEPWITHSHA-384ANDMGF1PADDING, OAEPWITHSHA-512ANDMGF1PADDING

• ISO10126PADDING: the ISO10126-2:1991 DEA padding scheme
• PKCS1Padding: Public Key Cryptography Standard #1, a standard for padding from RSA Laboratories that can encrypt messages up to 11 bytes smaller than the modulus size in bytes.
• PKCS5Padding: Public Key Cryptography Standard #1, a standard for padding from RSA Laboratories, "PKCS#5: Password-Based Encryption Standard," version 1.5, November 1993.
• SSL3Padding: The padding scheme defined in the SSL Protocol Version 3.0, November 18, 1996, section 5.2.3.2 (CBC block cipher)

Note: Only asymmetric (public/private key pair) algorithms can be used with this method, since only those keys can be added to a keystore.

For asymmetric algorithms a private/public key pair is required. Commerce Cloud Digital only allows you to add private keys in the format *.p12 and *.pfx. You can assign private keys an extra password in Business Manager. Public keys can only be imported as trusted certificates in the format *.crt, *.pem, *.der, and *.cer.

Key pairs for asymmetric ciphers can be generated with an arbitrary tool. One of the most popular options is the open source tool OpenSSL. OpenSSL has a command-line syntax and is available on major platforms.

The following steps are involved in creating an RSA key pair:

1. Generate a public and a non-protected private key ( *.crt and *.key ).< br/> openssl req -x509 -newkey rsa:2048 -keyout nopass.key -out nopass.crt -days 365 -nodes

2. Generate a keystore that contains the public and private keys ( *.p12 ). < br/> openssl pkcs12 -export -out nopass.p12 -inkey nopass.key -in nopass.crt

To import a private or public key into the Digital keystore, navigate to Administration > Operations > Private Keys and Certificates Use a .p12 file to import a private key and a *.crt to import a public key.

Typical usage:

 var plain : String = "some_plain_text";
 var publicKeyRef = new CertificateRef("rsa-certificate-2048");
 var cipher : Cipher = new Cipher();
 var encrypted : String = cipher.encrypt(plain, publicKeyRef, "RSA", null, 0);
 

Encryption is the process of converting normal data or plain text to something incomprehensible or cipher-text by applying transformations, which are the operation (or set of operations) to be performed on given input to produce some output. A transformation always includes the name of a cryptographic algorithm (for example, RSA) and may be followed by a mode and padding scheme. The supported algorithms are listed in the parameter description below.

The cryptographic algorithms can be partitioned into symmetric and asymmetric (or public key/private key).

Symmetric or "secret key" algorithms use the same key to encrypt and to decrypt the data. Symmetric algorithms are what most people think of as codes: using a well-known algorithm and a secret key to encode information, which can be decoded using the same algorithm and the same key. The algorithm is not secret, the secrecy is inherent to guarding the key. A significant problem with symmetric ciphers is that it is difficult to transfer the keys themselves securely. Symmetric algorithms include password-based algorithms.

AES with key length of 256 bits is the preferred choice for symmetric encryption going forward. Please consider switching to it if you are using any other scheme or if using AES with a shorter key length. The rest of the symmetric algorithms will be deprecated in the future.

Asymmetric or "public key" cryptography uses a public/private key pair, and then publishes the public key. Only the holder of the private key will be able to decrypt. The public key and private key together are also called a "key pair". Data encrypted with one key can only be decrypted using the other key from the pair, and it is not possible to deduce one key from the other. This helps to solve the key distribution problem since it is possible to publicise one of the keys widely (the "public key") and keep the other a closely guarded secret (the "private key"). Many partners can then send data encrypted with the public key, but only the holder of the corresponding private key can decrypt it.

Key pairs for asymmetric ciphers can be generated with an arbitrary tool. One of the most popular options is the open source tool OpenSSL. OpenSSL has a command-line syntax and is available on major platforms.

The following steps are involved in creating an RSA key pair:

1. openssl genrsa -out rsaprivatekey.pem 2048

2. openssl rsa -in rsaprivatekey.pem -out publickey.pem -pubout

3. openssl pkcs8 -topk8 -in rsaprivatekey.pem -out privatekey.pem -nocrypt

1. Generates an RSA private key with keylength of 2048 bits. Store this key in a safe place.

2. Generates a public key from the private key. You use the public key to encrypt messages with Cipher.encrypt. OpenSSL saves the key PEM-encoded; this means the key is saved with a base64 encoding. After you removed the header and footer lines you can pass the content directly to the API method.

3. Generates a private key in PKCS#8 format. You use that key to decrypt messages with Cipher.decrypt. OpenSSL saves the key PEM-encoded; this means the key is saved with a base64 encoding. After you removed the header and footer lines you can pass the content directly to the API method.

Modes

The following modes of operation are block cipher operations that are used with some algorithms.

• "NONE" no mode
• "CBC" Cipher Block Chaining (defined in FIPS PUB 81)
• "CTR" Counter mode or Segmented Integer Counter mode (defined in FIPS PUB 81)
• "CTS" CipherText Streaming mode
• "CFB" Cipher Feedback Mode, can be referred to with key length referenced as "CFB8","CFB16","CFB24".."CFB64" (defined in FIPS PUB 81)
• "ECB" Electronic Cook book as defined in: The National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) PUB 81, "DES Modes of Operation," U.S. Department of Commerce, Dec 1980.
• "OFB" Output Feedback Mode, can be referred to with key length referenced as "OFB8","OFB16","OFB24".."OFB64" (defined in FIPS PUB 81)
• "PCBC" Propagating Cipher Block Chaining (defined in Kerberos V4)

Paddings

• "NoPadding": No padding.
• OAEPWith<digest>And<mgf>Padding:

  Optimal Asymmetric Encryption Padding scheme defined in PKCS#1, where <digest> should be replaced by the message digest and <mgf> by the mask generation function.

  Examples: OAEPWITHSHA-256ANDMGF1PADDING, OAEPWITHSHA-384ANDMGF1PADDING, OAEPWITHSHA-512ANDMGF1PADDING

• ISO10126PADDING: the ISO10126-2:1991 DEA padding scheme
• PKCS1Padding: Public Key Cryptography Standard #1, a standard for padding from RSA Laboratories that can encrypt messages up to 11 bytes smaller than the modulus size in bytes.
• PKCS5Padding: Public Key Cryptography Standard #1, a standard for padding from RSA Laboratories, "PKCS#5: Password-Based Encryption Standard," version 1.5, November 1993.
• SSL3Padding: The padding scheme defined in the SSL Protocol Version 3.0, November 18, 1996, section 5.2.3.2 (CBC block cipher)

Note: Only asymmetric (public/private key pair) algorithms can be used with this method, since only those keys can be added to a keystore.

For asymmetric algorithms a private/public key pair is required. Commerce Cloud Digital only allows you to add private keys in the format *.p12 and *.pfx. You can assign private keys an extra password in Business Manager. Public keys can only be imported as trusted certificates in the format *.crt, *.pem, *.der, and *.cer.

Key pairs for asymmetric ciphers can be generated with an arbitrary tool. One of the most popular options is the open source tool OpenSSL. OpenSSL has a command-line syntax and is available on major platforms.

The following steps are involved in creating an RSA key pair:

1. Generate a public and a non-protected private key ( *.crt and *.key ).< br/> openssl req -x509 -newkey rsa:2048 -keyout nopass.key -out nopass.crt -days 365 -nodes

2. Generate a keystore that contains the public and private keys ( *.p12 ). < br/> openssl pkcs12 -export -out nopass.p12 -inkey nopass.key -in nopass.crt

To import a private or public key into the Digital keystore, navigate to Administration > Operations > Private Keys and Certificates Use a .p12 file to import a private key and a *.crt to import a public key.

Typical usage:

 var plain : String = "some_plain_text";
 var publicKeyRef = new CertificateRef("rsa-certificate-2048");
 var cipher : Cipher = new Cipher();
 var encrypted : String = cipher.encrypt(plain, publicKeyRef, "RSA", null, 0);
 

Typical usage:

 var message : String = "some_message";
 var charset : String = "UTF8"; // or "windows-1252", etc.

 // encrypt the message
 var messageBytes : Bytes = new Bytes(message, charset);
 var encryptedBytes : Bytes = Cipher.encryptBytes(messageBytes, key, transformation, salt, iterations);
 var encrypted : String = Encoding.toBase64(encryptedBytes);
 

Note: Only asymmetric (public/private key pair) algorithms can be used with this method, since only those keys can be added to a keystore.

Typical usage:

 var message : String = "some_message";
 var charset : String = "UTF8"; // or "windows-1252", etc.

 // encrypt the message
 var messageBytes : Bytes = new Bytes(message, charset);
 var encryptedBytes : Bytes = Cipher.encryptBytes(messageBytes, key, transformation, salt, iterations);
 var encrypted : String = Encoding.toBase64(encryptedBytes);
 

Note: Only asymmetric (public/private key pair) algorithms can be used with this method, since only those keys can be added to a keystore.