AES Encryption

This adapter encrypts and decrypts input data using the AES encryption algorithm.

AES Encryption

The publicly available encryption algorithm Advanced Encryption Standard (AES) is one of the most popular and secure encryption methods.

It is based on a series of byte substitutions, permutations and linear transformations that are performed on 16-byte data block – therefore the term block encryption. These operations are repeated several times, and in each of these iterations an individual iteration key calculated from the actual key is used in the calculations. If only a single bit in the key or in the data block is changed, a completely different cipher block is created – an advantage over classical encryption methods.

The designations AES-128, AES-192 and AES-256 specify the key length: 128, 192 and 256 bits. Until now, no practical attack is known for any of the AES variants. AES is therefore the preferred encryption standard.

You can find additional information on AES encryption under https://www.comparitech.com/blog/information-security/what-is-aes-encryption/.

Properties

Parameters

Adapter	Adapter main class (do not change!) Possible values:  de.softproject.integration.adapter.aes.AesEncryption: main class (default)
password	Required for operation GenerateSharedKey. Password to create the shared key.
salt	Required for operation GenerateSharedKey. Salt to create the shared key (Base64 encoded). In cryptography, salt refers to a randomly selected character string that is appended to a given plaintext before further processing (e.g. input to a hash function) to increase the entropy of the input. It is often used for storing and transmitting passwords in order to increase information security.
keyAlgorithm	Required for operation GenerateSharedKey. Algorithm to create the shared key.  Possible values: DESede: Generates secret keys for use with the DESede (Triple DES) algorithm. PBEWith<digest>And<encryption> respectively PBEWith<prf>And<encryption>: Secret key factory for use with PKCS5 password-based encryption, where <digest> represents a message digest, <prf> a pseudo-random function and <encryption> an encryption algorithm, e.g. PBEWithMD5AndDES (PKCS #5, version 1.5),  PBEWithHmacSHA256AndAES_128 (see PKCS #5, Version 2.0). PBKDF2With<prf>: Password-based key derivation algorithm (see PKCS #5, Version 2.0) using the pseudo-random function (<prf>), e.g. PBKDF2WithHmacSHA256
keyLength	Required for operation GenerateSharedKey. Key length to generate the shared key.  Possible values: 128 196 256
keyIteration	Required for operation GenerateSharedKey. Iterations to be used in order to create the shared key.
cipherAlgorithm	Algorithm to encrypt and decrypt the input data. Possible values: AES/CBC/PKCS5PADDING AES/CBC/NOPADDING AES/ECB/PKCS5PADDING AES/ECB/NOPADDING Additional information: CBC Mode and ECB Mode Cipher Block Chaining Mode (CBC Mode) is a mode in which block ciphers can be operated. Before encrypting a plaintext block, it is first linked to the ciphertext block created in the previous step by XOR (exclusive OR). The structure of encryption and decryption in CBC mode is shown in the following figures:     Electronic Code Book Mode (ECB Mode) is the simplest operating mode for block ciphers, since each plaintext block is encrypted separately. Thus, using the same key, the same plaintext blocks always result in the same ciphertext block. This is also the big disadvantage of this method, because plaintext patterns are preserved. The following figures show the structure of the ECB for encryption and decryption:
sharedKey	Shared key to encrypt and decrypt input data (Base64 encoded).
initializationVector	Initialization vector to encrypt and decrypt the input data; Works only in CBC mode. When encrypting messages, it is important to avoid that the same plaintext blocks always result in the same ciphertext blocks. Example: A formal letter usually begins with "Dear Mrs./Mr." followed by the name. Knowing this, an attacker could try to draw conclusions about the key used. To avoid this, the first plaintext block is linked to an initialization vector by XOR. Since the initialization vector was generated randomly, the resulting ciphertexts differ even if the plaintexts begin with identical data.
prependInitializationVector	Determines whether the initialization vector should be used as prefix for the encrypted data. The initialization vector can be transferred to the encrypted data in plaintext without any problems, since attackers cannot obtain any information from it without the key. The initialization vector is only intended to dilute the beginning of the message before the message is encrypted.  If the initialization vector is not transmitted, it must be obtained by other means, since it is necessary for decryption. Possible values:  true /  false specification
encoding	Required for operation  Decrypt. Specifies the encoding of the decrypted data.
mimeType	Required for operation  Decrypt. Specifies the Mime type of the decrypted data.

Status values

Input

The adapter expects different input documents depending on the selected operation.

• For operationEncrypt the adapter expects any input document, e.g. XML, text or binary files. 
  
  

  Sample input for operation Encrypt

  XML

  This is a top secret message and should be AES encrypted!

• For operation Decrypt the adapter expects AES-encrypted data (Base64). 
  
  

  Sample input for operation Decrypt

  XML

  dpi4dqEK7yiRcyz1HdLs9yxqNLIg6u8fqGR0JxADiCdHb/6PGDqSxzID6VcuecxUP44x7bkHTggDpn8DO/bgKg==

Output

The adapter outputs different result documents depending on the selected operation.

• For operation Encrypt the adapter returns the encrypted input data (Base64 encoded). 
  
  

  Sample output for operation Encrypt

  XML

  dpi4dqEK7yiRcyz1HdLs9yxqNLIg6u8fqGR0JxADiCdHb/6PGDqSxzID6VcuecxUP44x7bkHTggDpn8DO/bgKg==

• For operation Decrypt the adapter decrypts the encrypted input data. 
  
  

  Sample output for operation Decrypt

  XML

  This is a top secret message and should be AES encrypted!

• For operation GenerateSharedKey the adapter returns the shared key with the key parameters defined in the adapter. 
  
  

  Sample output for operation GenerateSharedKey

  XML

  SfQYr8UlXmBIeHbZE28XkquKZHFX0qfsSTGBl+4WQDM=

• For operationGenerateInitializationVector the adapter returns a random initialization vector depending on the cipher algorithm. 

  Sample output for operation GenerateInitializationVector

  CODE

  JXAxGJ343MMjwLFi78z8xw==

Sample Scenario:

A typical scenario is the exchange of encrypted data between two systems. One way to achieve this is to use a secret password to encrypt and decrypt the data, which is known to both systems. A key is generated from the password using the GenerateSharedKey algorithm. The key prepares the password cryptographically and ensures a stronger encryption depending on the selected algorithm. The stronger the key, the more difficult for third parties to decrypt the encrypted data.

As an alternative to the password, also the key can be provided to both systems. This approach is less secure since the additional information about the password with which the key was generated is not known.

Using the key and the cipher algorithm the data is made unrecognizable for third parties and can only be made recognizable again using the same key. 

The encrypted data can now be transferred to the second system, either via a network or hardware (USB stick). Thus, no third party can use the data.

The second system also generates the key with exactly the same parameters as the first system. Together with the same cipher algorithm, the data is decrypted and can be sed.