Skip to main content
Version: Next

ENCRYPT BLOB

ENCRYPT BLOB ( toEncrypt ; sendPrivKey {; recipPubKey} )

ParameterTypeDescription
toEncryptBlobData to encrypt
Encrypted data
sendPrivKeyBlobSender’s private key
recipPubKeyBlobRecipient’s public key

Description

The ENCRYPT BLOB command encrypts the content of the toEncrypt BLOB with the sender’s private key sendPrivKey, as well as optionally the recipient’s public key recipPubKey. These keys should be generated by the command GENERATE ENCRYPTION KEYPAIR (within the “Secured Protocol” theme).

Note: This command uses the TLS protocol algorithm and encryption features. To be able to use this command, make sure that the components necessary to the TLS protocol are installed properly on your machine — even if you do not want to use TLS for 4D connections to servers. For detailed information on this protocol, please refer to developer.4d.com.

  • If one key is used for the encryption (the sender’s private key), only people in possession of the public key will be able to read the information. This system guarantees that the sender himself has encrypted the information.
  • The simultaneous use of the sender’s private key and recipient’s public key guarantees that only one recipient will be able to read the information.

The BLOB containing the keys has a PKCS internal format. This standard cross platform format allows exchanging or handling keys simply by copy-pasting in an Email or a text file.

Once the command has been run, the toEncrypt BLOB contains the encrypted data that will be decrypted only with the DECRYPT BLOB command, with the sender’s public key passed as parameter.
Moreover, if the optional recipient’s public key has been used to encrypt the information, the recipient’s private key will also be necessary for decrypting.

Encryption principle with public and private keys for message exchange between two people, “Alice” and “Bob”:

Note: The cipher contains a checksum functionality in order to avoid any BLOB content modification (deliberately or not). Consequently, an encrypted BLOB should not be modified otherwise it might not be decrypted.

Optimizing Encryption Commands

Data encryption slows down the execution of your applications, especially if a pair of keys is used. However, you can consider the following optimization tips:

  • Depending on the current available memory, the command will execute in “synchronous” or “asynchronous” mode.
    The asynchronous mode is faster, since it does not freeze the other processes. This mode is automatically used if the available memory is at least twice the size of the data to encrypt.
    Otherwise, for security reasons, the synchronous mode is used. This mode is slower since it freezes the other processes.
  • Regarding large BLOBs, you can encrypt only a small “strategic” part of the BLOB in order to reduce the size of data to be processed as well as the processing time.

Example

  • Using a single key A company wants to keep the data stored in a 4D database private. It has to regularly send these information to its subsidiaries through files, via the Internet.
  1. The company generates a pair of keys with the command GENERATE ENCRYPTION KEYPAIR:
  //Method GENERATE_KEYS_TXT
 var $BPublicKey;$BPrivateKey : Blob
 GENERATE ENCRYPTION KEYPAIR($BPrivateKey;$BPublicKey)
 BLOB TO DOCUMENT("PublicKey.txt";$BPublicKey)
 BLOB TO DOCUMENT("PrivateKey.txt";$BPrivateKey)
  1. The company keeps the private key and sends a copy of the document containing the public key to each subsidiary. For maximum security, the key should be copied on a storage device handed over to the subsidiaries.

  2. Then the company copies the private information (stored in the text field, for example) in BLOBs which will be encrypted with the private key:

  //Method ENCRYPT_INFO
 var $vbEncrypted;$vbPrivateKey : Blob
 var $vtEncrypted : Text
 
 $vtEncrypted:=[Private]Info
 VARIABLE TO BLOB($vtEncrypted;$vbEncrypted)
 DOCUMENT TO BLOB("PrivateKey.txt";$vbPrivateKey)
 If(OK=1)
    ENCRYPT BLOB($vbEncrypted;$vbPrivateKey)
    BLOB TO DOCUMENT("Update.txt";$vbEncrypted)
 End if
  1. The update files can be sent to the subsidiaries (though a non-secured channel such as the Internet). If a third person gets hold of the encrypted file, he will not be able to decrypt it without the public key.

  2. Each subsidiary can decrypt the document with the public key:

  //Method DECRYPT_INFO
 var $vbEncrypted;$vbPublicKey : Blob
 var $vtDecrytped : Text
 var $vtDocRef : Time
 
 ALERT("Please select an encrypted document.")
 $vtDocRef:=Open document("") //Select Update.txt
 If(OK=1)
    CLOSE DOCUMENT($vtDocRef)
    DOCUMENT TO BLOB(Document;$vbEncrypted)
    DOCUMENT TO BLOB("PublicKey.txt";$vbPublicKey)
    If(OK=1)
       DECRYPT BLOB($vbEncrypted;$vbPublicKey)
       BLOB TO VARIABLE($vbEncrypted;$vtDecrypted)
       CREATE RECORD([Private])
       [Private]Info:=$vtDecrypted
       SAVE RECORD([Private])
    End if
 End if
  • Using keypairs

A company wants to use the Internet to exchange information. Each subsidiary receives private information and also sends information to the corporate office. Consequently there are two requirements:
- The recipient only should be able to read the message,
- The recipient must have proof that the message was sent by the sender himself.

  1. The corporate office and each subsidiary generate their own key pairs (with the GENERATE_KEYS_TXT method).

  2. The private key is kept secret by both sides. Each subsidiary sends its public key to the corporate office who, in its turn, sends its public key too. This key transfer does not need to be done through a secured channel as the public key is not enough to decrypt the message.

  3. To encrypt the information to send, the subsidiary or the corporate house executes the ENCRYPT_INFO_2 method which uses the sender’s private key and the recipient’s public key to encrypt the information:

  //Method ENCRYPT_INFO_2
 var $vbEncrypted;$vbPrivateKey;$vbPublicKey : Blob
 var $vtEncrypt : Text
 var $vtDocRef : Time
 
 $vtEncrypt:=[Private]Info
 VARIABLE TO BLOB($vtEncrypt;$vbEncrypted)
  // Your own private key is loaded...
 DOCUMENT TO BLOB("PrivateKey.txt";$vbPrivateKey)
 If(OK=1)
  // ...and the recipient’s public key
    ALERT("Please select the recipient’s public key.")
    $vhDocRef:=Open document("") //Public key to load
    If(OK=1)
       CLOSE DOCUMENT($vtDocRef)
       DOCUMENT TO BLOB(Document;$vbPublicKey)
  //BLOB encryption with the two keys as parameters
       ENCRYPT BLOB($vbEncrypted;$vbPrivateKey;$vbPublicKey)
       BLOB TO DOCUMENT("Update.txt";$vbEncrypted)
    End if
 End if
  1. The encrypted file can then be sent to the recipient via the Internet. If a third person gets hold of it, he or she will not be able to decrypt the message, even if he or she has the public keys as the recipient’s private key will also be required.

  2. Each recipient can decrypt the document by using his/her own private key and the sender’s public key:

  //Method DECRYPT_INFO_2
 var $vbEncrypted;$vbPublicKey;$vbPrivateKey : Blob
 var $vtDecrypted : Text
 var $vhDocRef : Time
 
 ALERT("Please select the encrypted document.")
 $vhDocRef:=Open document("") //Select the Update.txt file
 If(OK=1)
    CLOSE DOCUMENT($vhDocRef)
    DOCUMENT TO BLOB(Document;$vbEncrypted)
  //Your own private key is loaded
    DOCUMENT TO BLOB("PrivateKey.txt";$vbPrivateKey)
    If(OK=1)
  // ...and the sender’s public key
       ALERT("Please select the sender’s public key.")
       $vhDocRef:=Open document("") //Public key to load
       If(OK=1)
          CLOSE DOCUMENT($vhDocRef)
          DOCUMENT TO BLOB(Document;$vbPublicKey)
  //Decrypting the BLOB with two keys as parameters
          DECRYPT BLOB($vbEncrypted;$vbPublicKey;$vbPrivateKey)
          BLOB TO VARIABLE($vbEncrypted;$vtDecrypted)
          CREATE RECORD([Private])
          [Private]Info:=$vtDecrypted
          SAVE RECORD([Private])
       End if
    End if
 End if

See also

CryptoKey class
DECRYPT BLOB
Encrypt data BLOB
GENERATE ENCRYPTION KEYPAIR