FirebirdSQL logo

ENCRYPT()

Encrypts data using a symmetric cipher

Result type

VARBINARY or BLOB

Syntax
ENCRYPT ( input
  USING <algorithm> [MODE <mode>]
  KEY key
  [IV iv] [<ctr_type>] [CTR_LENGTH ctr_length]
  [COUNTER initial_counter] )

<algorithm> ::= <block_cipher> | <stream_cipher>

<block_cipher> ::=
    AES | ANUBIS | BLOWFISH | KHAZAD | RC5
  | RC6 | SAFER+ | TWOFISH | XTEA

<stream_cipher> ::= CHACHA20 | RC4 | SOBER128

<mode> ::= CBC | CFB | CTR | ECB | OFB

<ctr_type> ::= CTR_BIG_ENDIAN | CTR_LITTLE_ENDIAN
Table 1. ENCRYPT Function Parameters
Parameter Description

input

Input to encrypt as a blob or (binary) string

algorithm

The algorithm to use for decryption

mode

The algorithm mode;only for block ciphers

key

The encryption/decryption key

iv

Initialization vector or nonce;should be specified for block ciphers in all modes except ECB, and all stream ciphers except RC4

ctr_type

Endianness of the counter;only for CTR mode.Default is CTR_LITTLE_ENDIAN.

ctr_length

Counter length;only for CTR mode.Default is size of iv.

initial_counter

Initial counter value;only for CHACHA20.Default is 0.

Note
  • This function returns BLOB SUB_TYPE BINARY when the first argument is a BLOB, and VARBINARY for all other text and binary types.

  • Sizes of data strings (like key and iv) must meet the requirements of the selected algorithm and mode, see table [fblangref50-scalarfuncs-tbl-encrypt-req].

    • In general, the size of iv must match the block size of the algorithm

    • For ECB and CBC mode, input must be multiples of the block size, you will need to manually pad with zeroes or spaces as appropriate.

  • The ins and outs of the various algorithms and modes are considered beyond the scope of this language reference.We recommend searching the internet for further details on the algorithms.

  • Although specified as separate options in this Language Reference, in the actual syntax CTR_LENGTH and COUNTER are aliases.

Table 2. Encryption Algorithm Requirements
Algorithm Key size (bytes) Block size (bytes) Notes

Block Ciphers

AES

16, 24, 32

16

Key size determines the AES variant:
16 bytes → AES-128
24 bytes → AES-192
32 bytes → AES-256

ANUBIS

16 - 40, in steps of 4 (4x)

16

 

BLOWFISH

8 - 56

8

 

KHAZAD

16

8

 

RC5

8 - 128

8

 

RC6

8 - 128

16

 

SAFER+

16, 24, 32

16

 

TWOFISH

16, 24, 32

16

 

XTEA

16

8

 

Stream Ciphers

CHACHA20

16, 32

1

Nonce size (IV) is 8 or 12 bytes.For nonce size 8, initial_counter is a 64-bit integer, for size 12, 32-bit.

RC4

5 - 256

1

 

SOBER128

4x

1

Nonce size (IV) is 4y bytes, the length is independent of key size.

ENCRYPT Examples

select encrypt('897897' using sober128 key 'AbcdAbcdAbcdAbcd' iv '01234567')
  from rdb$database;

RSA_DECRYPT()

Decrypts data using an RSA private key and removes OAEP or PKCS 1.5 padding

Result type

VARBINARY

Syntax
RSA_DECRYPT (encrypted_input KEY private_key
  [LPARAM tag_string] [HASH <hash>] [PKCS_1_5])

<hash> ::= MD5 | SHA1 | SHA256 | SHA512
Table 1. RSA_DECRYPT Function Parameters
Parameter Description

encrypted_input

Input data to decrypt

private_key

Private key to apply, PKCS#1 format

tag_string

An additional system-specific tag to identify which system encrypted the message;default is NULL.If the tag does not match what was used during encryption, RSA_DECRYPT will not decrypt the data.

hash

The hash used for OAEP padding;default is SHA256.

RSA_DECRYPT decrypts encrypted_input using the RSA private key and then removes padding from the resulting data.

By default, OAEP padding is used.The PKCS_1_5 option will switch to the less secure PKCS 1.5 padding.

Warning

The PKCS_1_5 option is only for backward compatibility with systems applying PKCS 1.5 padding.For security reasons, it should not be used in new projects.

Note
  • This function returns VARBINARY.

  • When the encrypted data was text, it must be explicitly cast to a string type of appropriate character set.

RSA_DECRYPT Examples

Tip

Run the examples of the RSA_PRIVATE and RSA_PUBLIC, RSA_ENCRYPT functions first.

select cast(rsa_decrypt(rdb$get_context('USER_SESSION', 'msg')
  key rdb$get_context('USER_SESSION', 'private_key')) as varchar(128))
from rdb$database;