Try OpenEdge Now
skip to main content
Programming Interfaces
Data Management : Application Security : Using cryptography to secure data : Implementing symmetric cryptography in ABL : Using ABL encryption and decryption functions
 
Using ABL encryption and decryption functions
ABL provides two built-in functions, DECRYPT and ENCRYPT, to encrypt and decrypt data. Both functions rely on cryptographic parameters that you set using the SECURITY-POLICY system handle or using options for invoking each function.
These functions have the following syntax:

Syntax

ENCRYPT( data-to-encrypt [ , encrypt-key [ , iv-value [ , algorithm ]]] )
DECRYPT( data-to-decrypt [ , encrypt-key [ , iv-value [ , algorithm ]]] )
You can provide the data-to-encrypt as a CHARACTER, LONGCHAR, RAW, or MEMPTR variable, and the ENCRYPT function evaluates to a MEMPTR value containing the encrypted binary byte stream of the data. You can provide the data-to-decrypt as a MEMPTR or RAW variable containing an encrypted binary byte stream, and the DECRYPT function evaluates to a MEMPTR value containing the decrypted binary byte stream of the data. You can then convert the decrypted MEMPTR value to a CHARACTER or LONGCHAR in order to make the decrypted data human-readable. If you need to encrypt and decrypt more than one value, you can marshall these items to and unmarshall them from a MEMPTR using PUT-datatype statements and GET-datatype functions.
If you specify a parameter value for any of the function options, it overrides any setting of the corresponding SECURITY-POLICY handle attribute. In order to successful decrypt an encrypted value (resulting in a DECRYPT return value identical to the data-to-encrypt value that you input to ENCRYPT), you must invoke both functions using identical cryptographic parameters as shown in the following table, whether you supply them as function options or as attributes of your application cryptography policy.
Table 23. ENCRYPT/DECRYPT function parameters
Set this cryptographic parameter using...
This function option...
Or this SECURITY-POLICY handle attribute...
Symmetric key
encrypt-key
SYMMETRIC-ENCRYPTION-KEY
Initialization vector
iv-value
SYMMETRIC-ENCRYPTION-IV
Algorithm, mode, and key size
algorithm
SYMMETRIC-ENCRYPTION-ALGORITHM
For many applications, you do not need to specify an initialization vector and can use the default algorithm, mode, and key size ("AES_CBC_128"). Typically, you only need to set these values to satisfy specific application requirements.
You must handle all generation, storage, transportation, and provision of the symmetric key and all other values required to decrypt data that you have encrypted. This includes maintaining binary keys in the correct byte endian order for the platform or platforms where cryptographic operations occur.
For information on:
*The SECURITY-POLICY system handle, see Creating and maintaining a cryptography policy
*Key generation, see Generating encryption keys
*Managing and transporting keys and data, see Managing and transporting crypto data