Encryption functions¶
Percona Server for MySQL 8.0.28-20 adds encryption functions and variables to manage the encryption range. The functions may take an algorithm argument. Encryption converts plaintext into ciphertext using a key and an encryption algorithm.
You can also use the user-defined functions with the PEM format keys generated externally by the OpenSSL utility.
A digest uses plaintext and generates a hash value. This hash value can verify if the plaintext is unmodified. You can also sign or verify on digests to ensure that the original plaintext was not modified. You cannot decrypt the original text from the hash value.
When choosing key lengths, consider the following:
Encryption strength increases with the key size and, also, the key generation time.
If performance is important and the functions are frequently used, use symmetric encryption. Symmetric encryption functions are faster than asymmetric encryption functions. Moreover, asymmetric encryption has restrictions on the maximum length of a message being encrypted. For example, for RSA the algorithm maximum message size is the key length in bytes (key length in bits / 8) minus 11.
The following table and sections describe the functions. For examples, see function-examples.
The following table describes the Encryption threshold variables which can be used to set the maximum value for a key length based on the type of encryption.
Variable Name |
|---|
Install component_encryption_udf¶
Use the Install Component Statement to add the component_encryption_udf component. The functions and variables are available. The user-defined functions and the Encryption threshold variables are auto-registered. There is no requirement to invoke CREATE FUNCTION ... SONAME ....
The INSERT privilege on the mysql.component system table is required to run the INSTALL COMPONENT statement. To register the component, the operation adds a row to this table.
The following is an example of the installation command:
mysql> INSTALL COMPONENT 'file://component_encryption_udf';
Note
If you are Compiling Percona Server for MySQL from Source, the Encryption UDF component is built by default when Percona Server for MySQL is built. Specify the -DWITH_ENCRYPTION_UDF=OFF cmake option to exclude it.
User-Defined Functions Described¶
asymmetric_decrypt(algorithm, crypt_str, key_str)¶
Decrypts an encrypted string using the algorithm and a key string.
Returns
A plaintext as a string.
Parameters
The following are the function’s parameters:
algorithm - the encryption algorithm supports RSA to decrypt the string.
key_str - a string in the PEM format. The key string must have the following attributes:
Valid
Public or private key string that corresponds with the private or public key string used with the asymmetric_encrypt function.
asymmetric_derive(pub_key_str, priv_key_str)¶
Derives a symmetric key using a public key generated on one side and a private key generated on another.
Returns
A key as a binary string.
Parameters
The pub_key_str must be a public key in the PEM format and generated using the Diffie-Hellman (DH) algorithm.
The priv_key_str must be a private key in the PEM format and generated using the Diffie-Hellman (DH) algorithm.
asymmetric_encrypt(algorithm, str, key_str)¶
Encrypts a string using the algorithm and a key string.
Returns
A ciphertext as a binary string.
Parameters
The parameters are the following:
algorithm - the encryption algorithm supports RSA to encrypt the string.
str - measured in bytes. The length of the string must not be greater than the key_str modulus length in bytes - 11 (additional bytes used for PKCS1 padding)
key_str - a key (either private or public) in the PEM format
asymmetric_sign(algorithm, digest_str, priv_key_str, digest_type)¶
Signs a digest string using a private key string.
Returns
A signature is a binary string.
Parameters
The parameters are the following:
algorithm - the encryption algorithm supports either RSA or DSA to encrypt the string.
digest_str - the digest binary string that is signed. Invoking create_digest generates the digest.
priv_key_str - the private key used to sign the digest string. The key must be in the PEM format.
digest_type - the supported values are listed in the digest type table of create_digest.
asymmetric_verify(algorithm, digest_str, sig_str, pub_key_str, digest_type)¶
Verifies whether the signature string matches the digest string.
Returns
A 1 (success) or a 0 (failure).
Parameters
The parameters are the following:
algorithm - supports either ‘RSA’ or ‘DSA’.
digest_str - invoking create_digest generates this digest binary string.
sig_str - the signature binary string. Invoking asymmetric_sign generates this string.
pub_key_str - the signer’s public key string. This string must correspond to the private key passed to asymmetric_sign to generate the signature string. The string must be in the PEM format.
digest_type - the supported values are listed in the digest type table of create_digest
create_asymmetric_priv_key(algorithm, (key_len | dh_parameters))¶
Generates a private key using the given algorithm and key length for RSA or DSA
or Diffie-Hellman parameters for DH. For RSA or DSA, if needed, execute KILL
[QUERY|CONNECTION] <id> to terminate a long-lasting key generation. The
DH key generation from existing parameters is a quick operation. Therefore, it
does not make sense to terminate that operation with KILL.
Returns
The key as a string in the PEM format.
Parameters
The parameters are the following:
algorithm - the supported values are ‘RSA’, ‘DSA’, or ‘DH’.
key_len - the supported key length values are the following:
RSA - the minimum length is 1,024. The maximum length is 16,384.
DSA - the minimum length is 1,024. The maximum length is 9,984.
Note
The key length limits are defined by OpenSSL. To change the maximum key length, use either encryption_udf.rsa_bits_threshold or encryption_udf.dsa_bits_threshold.
dh_parameters - Diffie-Hellman (DH) parameters. Invoking create_dh_parameter creates the DH parameters.
create_asymmetric_pub_key(algorithm, priv_key_str)¶
Derives a public key from the given private key using the given algorithm.
Returns
The key as a string in the PEM format.
Parameters
The parameters are the following:
algorithm - the supported values are ‘RSA’, ‘DSA’, or ‘DH’.
priv_key_str - must be a valid key string in the PEM format.
create_dh_parameters(key_len)¶
Creates parameters for generating a Diffie-Hellman (DH) private/public key pair.
If needed, execute KILL [QUERY|CONNECTION] <id> to terminate the generation of long-lasting parameters.
Generating the DH parameters can take more time than generating the RSA keys or the DSA keys. OpenSSL defines the parameter length limits. To change the maximum parameter length, use encryption_udf.dh_bits_threshold.
Returns
A string in the PEM format and can be passed to create_asymmetric_private_key.
Parameters
The parameters are the following:
key_len - the range for the key length is from 1024 to 10,000. The default value is 10,000.
create_digest(digest_type, str)¶
Creates a digest from the given string using the given digest type. The digest string can be used with asymmetric_sign and asymmetric_verify.
Returns
The digest of the given string as a binary string
Parameters
The parameters are the following:
digest_type - the supported values are the following (based on the OpenSSL version):
Value Name for OpenSSL 1.0.2
Value Name for OpenSSL 1.1.x addition
‘MD5’
‘BLAKE2B512’
‘SHA1’
‘BLAKE2S256’
‘SHA224’
‘RIPEMD’
‘SHA256’
‘RMD160’
‘SHA384’
‘SHAKE128’
‘SHA512’
‘SHAKE256’
‘MD4’
‘SM3’
‘RIPEMD160’
‘WHIRLPOOL’
str - String used to generate the digest string.
Encryption threshold variables
The maximum key length limits are defined by OpenSSL. Server administrators can limit the maximum key length using the encryption threshold variables.
The variables are automatically registered when component_encryption_udf is installed.
Variable Name |
|---|
encryption_udf.dh_bits_threshold
The variable sets the maximum limit for the create_dh_parameters user-defined function and takes precedence over the OpenSSL maximum length value.
Option |
Description |
|---|---|
command-line |
Yes |
scope |
Global |
data type |
unsigned integer |
default |
10000 |
The range for this variable is from 1024 to 10,000. The default value is 10,000.
encryption_udf.dsa_bits_threshold
The variable sets the threshold limits for create_asymmetric_priv_key user-defined function when the function is invoked with the DSA parameter and takes precedence over the OpenSSL maximum length value.
Option |
Description |
|---|---|
command-line |
Yes |
scope |
Global |
data type |
unsigned integer |
default |
9984 |
The range for this variable is from 1,024 to 9,984. The default value is 9,984.
encryption_udf.rsa_bits_threshold
The variable sets the threshold limits for the create_asymmetric_priv_key user-defined function when the function is invoked with the RSA parameter and takes precedence over the OpenSSL maximum length value.
Option |
Description |
|---|---|
command-line |
Yes |
scope |
Global |
data type |
unsigned integer |
default |
16384 |
The range for this variable is from 1,024 to 16,384. The default value is 16,384.
Examples
Code examples for the following operations:
set the threshold variables
create a private key
create a public key
encrypt data
decrypt data
-- Set Global variable
mysql> SET GLOBAL encryption_udf.dh_bits_threshold = 4096;
-- Set Global variable
mysql> SET GLOBAL encryption_udf.rsa_bits_threshold = 4096;
-- Create private key
mysql> SET @private_key = create_asymmetric_priv_key('RSA', 3072);
-- Create public key
mysql> SET @public_key = create_asymmetric_pub_key('RSA', @private_key);
-- Encrypt data using the private key (you can also use the public key)
mysql> SET @ciphertext = asymmetric_encrypt('RSA', 'This text is secret', @private_key);
-- Decrypt data using the public key (you can also use the private key)
-- The decrypted value @plaintext should be identical to the original 'This text is secret'
mysql> SET @plaintext = asymmetric_decrypt('RSA', @ciphertext, @public_key);
Code examples for the following operations:
generate a digest string
generate a digest signature
verify the signature against the digest
-- Generate a digest string
mysql> SET @digest = create_digest('SHA256', 'This is the text for digest');
-- Generate a digest signature
mysql> SET @signature = asymmetric_sign('RSA', @digest, @private_key, 'SHA256');
-- Verify the signature against the digest
-- The @verify_signature must be equal to 1
mysql> SET @verify_signature = asymmetric_verify('RSA', @digest, @signature, @public_key, 'SHA256');
Code examples for the following operations:
generate a DH parameter
generates two DH key pairs
generate a symmetric key using the public_1 and the private_2
generate a symmetric key using the public_2 and the private_1
-- Generate a DH parameter
mysql> SET @dh_parameter = create_dh_parameters(3072);
-- Generate DH key pairs
mysql> SET @private_1 = create_asymmetric_priv_key('DH', @dh_parameter);
mysql> SET @public_1 = create_asymmetric_pub_key('DH', @private_1);
mysql> SET @private_2 = create_asymmetric_priv_key('DH', @dh_parameter);
mysql> SET @public_2 = create_asymmetric_pub_key('DH', @private_2);
-- Generate a symmetric key using the public_1 and private_2
-- The @symmetric_1 must be identical to @symmetric_2
mysql> SET symmetric_1 = asymmetric_derive(@public_1, @private_2);
-- Generate a symmetric key using the public_2 and private_1
-- The @symmetric_2 must be identical to @symmetric_1
mysql> SET symmetric_2 = asymmetric_derive(@public_2, @private_1);
Code examples for the following operations:
create a private key using a
SETstatementcreate a private key using a
SELECTstatementcreate a private key using an
INSERTstatement
mysql> SET @private_key1 = create_asymmetric_priv_key('RSA', 3072);
mysql> SELECT create_asymmetric_priv_key('RSA', 3072) INTO @private_key2;
mysql> INSERT INTO key_table VALUES(create_asymmetric_priv_key('RSA', 3072));
Uninstall component_encryption_udf¶
You can deactivate and uninstall the component using the Uninstall Component statement.
mysql> UNINSTALL COMPONENT 'file://component_encryption_udf';