MySQL Enterprise Encryption functions have these general characteristics:
For arguments of the wrong type or an incorrect number of arguments, each function returns an error.
If the arguments are not suitable to permit a function to perform the requested operation, it returns
NULL
or 0 as appropriate. This occurs, for example, if a function does not support a specified algorithm, a key length is too short or long, or a string expected to be a key string in PEM format is not a valid key. (OpenSSL imposes its own key-length limits, and server administrators can impose additional limits on maximum key length by setting environment variables. See Section 6.6.2, “MySQL Enterprise Encryption Usage and Examples”.)The underlying SSL library takes care of randomness initialization.
Several of the functions take an encryption algorithm argument. The following table summarizes the supported algorithms by function.
Table 6.37 Supported Algorithms by Function
Function | Supported Algorithms |
---|---|
asymmetric_decrypt() |
RSA |
asymmetric_derive() |
DH |
asymmetric_encrypt() |
RSA |
asymmetric_sign() |
RSA, DSA |
asymmetric_verify() |
RSA, DSA |
create_asymmetric_priv_key() |
RSA, DSA, DH |
create_asymmetric_pub_key() |
RSA, DSA, DH |
create_dh_parameters() |
DH |
Although you can create keys using any of the RSA, DSA, or DH
encryption algorithms, other functions that take key arguments
might accept only certain types of keys. For example,
asymmetric_encrypt()
and
asymmetric_decrypt()
accept only
RSA keys.
The following descriptions describe the calling sequences for MySQL Enterprise Encryption functions. For additional examples and discussion, see Section 6.6.2, “MySQL Enterprise Encryption Usage and Examples”.
asymmetric_decrypt(
algorithm
,crypt_str
,key_str
)Decrypts an encrypted string using the given algorithm and key string, and returns the resulting plaintext as a binary string. If decryption fails, the result is
NULL
.key_str
must be a valid key string in PEM format. For successful decryption, it must be the public or private key string corresponding to the private or public key string used withasymmetric_encrypt()
to produce the encrypted string.algorithm
indicates the encryption algorithm used to create the key.Supported
algorithm
values:'RSA'
For a usage example, see the description of
asymmetric_encrypt()
.asymmetric_derive(
pub_key_str
,priv_key_str
)Derives a symmetric key using the private key of one party and the public key of another, and returns the resulting key as a binary string. If key derivation fails, the result is
NULL
.pub_key_str
andpriv_key_str
must be valid key strings in PEM format. They must be created using the DH algorithm.Suppose that you have two pairs of public and private keys:
SET @dhp = create_dh_parameters(1024); SET @priv1 = create_asymmetric_priv_key('DH', @dhp); SET @pub1 = create_asymmetric_pub_key('DH', @priv1); SET @priv2 = create_asymmetric_priv_key('DH', @dhp); SET @pub2 = create_asymmetric_pub_key('DH', @priv2);
Suppose further that you use the private key from one pair and the public key from the other pair to create a symmetric key string. Then this symmetric key identity relationship holds:
asymmetric_derive(@pub1, @priv2) = asymmetric_derive(@pub2, @priv1)
asymmetric_encrypt(
algorithm
,str
,key_str
)Encrypts a string using the given algorithm and key string, and returns the resulting ciphertext as a binary string. If encryption fails, the result is
NULL
.The
str
length cannot be greater than thekey_str
length − 11, in byteskey_str
must be a valid key string in PEM format.algorithm
indicates the encryption algorithm used to create the key.Supported
algorithm
values:'RSA'
To encrypt a string, pass a private or public key string to
asymmetric_encrypt()
. To recover the original unencrypted string, pass the encrypted string toasymmetric_decrypt()
, along with the public or private key string correponding to the private or public key string used for encryption.-- Generate private/public key pair SET @priv = create_asymmetric_priv_key('RSA', 1024); SET @pub = create_asymmetric_pub_key('RSA', @priv); -- Encrypt using private key, decrypt using public key SET @ciphertext = asymmetric_encrypt('RSA', 'The quick brown fox', @priv); SET @plaintext = asymmetric_decrypt('RSA', @ciphertext, @pub); -- Encrypt using public key, decrypt using private key SET @ciphertext = asymmetric_encrypt('RSA', 'The quick brown fox', @pub); SET @plaintext = asymmetric_decrypt('RSA', @ciphertext, @priv);
Suppose that:
SET @s = a string to be encrypted SET @priv = a valid private RSA key string in PEM format SET @pub = the corresponding public RSA key string in PEM format
Then these identity relationships hold:
asymmetric_decrypt('RSA', asymmetric_encrypt('RSA', @s, @priv), @pub) = @s asymmetric_decrypt('RSA', asymmetric_encrypt('RSA', @s, @pub), @priv) = @s
asymmetric_sign(
algorithm
,digest_str
,priv_key_str
,digest_type
)Signs a digest string using a private key string, and returns the signature as a binary string. If signing fails, the result is
NULL
.digest_str
is the digest string. It can be generated by callingcreate_digest()
.digest_type
indicates the digest algorithm used to generate the digest string.priv_key_str
is the private key string to use for signing the digest string. It must be a valid key string in PEM format.algorithm
indicates the encryption algorithm used to create the key.Supported
algorithm
values:'RSA'
,'DSA'
Supported
digest_type
values:'SHA224'
,'SHA256'
,'SHA384'
,'SHA512'
For a usage example, see the description of
asymmetric_verify()
.asymmetric_verify(
algorithm
,digest_str
,sig_str
,pub_key_str
,digest_type
)Verifies whether the signature string matches the digest string, and returns 1 or 0 to indicate whether verification succeeded or failed.
digest_str
is the digest string. It can be generated by callingcreate_digest()
.digest_type
indicates the digest algorithm used to generate the digest string.sig_str
is the signature string. It can be generated by callingasymmetric_sign()
.pub_key_str
is the public key string of the signer. It corresponds to the private key passed toasymmetric_sign()
to generate the signature string and must be a valid key string in PEM format.algorithm
indicates the encryption algorithm used to create the key.Supported
algorithm
values:'RSA'
,'DSA'
Supported
digest_type
values:'SHA224'
,'SHA256'
,'SHA384'
,'SHA512'
-- Set the encryption algorithm and digest type SET @algo = 'RSA'; SET @dig_type = 'SHA224'; -- Create private/public key pair SET @priv = create_asymmetric_priv_key(@algo, 1024); SET @pub = create_asymmetric_pub_key(@algo, @priv); -- Generate digest from string SET @dig = create_digest(@dig_type, 'The quick brown fox'); -- Generate signature for digest and verify signature against digest SET @sig = asymmetric_sign(@algo, @dig, @priv, @dig_type); SET @verf = asymmetric_verify(@algo, @dig, @sig, @pub, @dig_type);
create_asymmetric_priv_key(
algorithm
, {key_len
|dh_secret
})Creates a private key using the given algorithm and key length or DH secret, and returns the key as a binary string in PEM format. If key generation fails, the result is
NULL
.Supported
algorithm
values:'RSA'
,'DSA'
,'DH'
Supported
key_len
values: The minimum key length in bits is 1,024. The maximum key length depends on the algorithm: 16,384 for RSA and 10,000 for DSA. These key-length limits are constraints imposed by OpenSSL. Server administrators can impose additional limits on maximum key length by setting environment variables. See Section 6.6.2, “MySQL Enterprise Encryption Usage and Examples”.For DH keys, pass a shared DH secret instead of a key length. To create the secret, pass the key length to
create_dh_parameters()
.This example creates a 2,048-bit DSA private key, then derives a public key from the private key:
SET @priv = create_asymmetric_priv_key('DSA', 2048); SET @pub = create_asymmetric_pub_key('DSA', @priv);
For an example showing DH key generation, see the description of
asymmetric_derive()
.Some general considerations in choosing key lengths and encryption algorithms:
The strength of encryption for private and public keys increases with the key size, but the time for key generation increases as well.
Generation of DH keys takes much longer than RSA or RSA keys.
Asymmetric encryption functions are slower than symmetric functions. If performance is an important factor and the functions are to be used very frequently, you are better off using symmetric encryption. For example, consider using
AES_ENCRYPT()
andAES_DECRYPT()
.
create_asymmetric_pub_key(
algorithm
,priv_key_str
)Derives a public key from the given private key using the given algorithm, and returns the key as a binary string in PEM format. If key derivation fails, the result is
NULL
.priv_key_str
must be a valid key string in PEM format.algorithm
indicates the encryption algorithm used to create the key.Supported
algorithm
values:'RSA'
,'DSA'
,'DH'
For a usage example, see the description of
create_asymmetric_priv_key()
.Creates a shared secret for generating a DH private/public key pair and returns a binary string that can be passed to
create_asymmetric_priv_key()
. If secret generation fails, the result is null.Supported
key_len
values: The minimum and maximum key lengths in bits are 1,024 and 10,000. These key-length limits are constraints imposed by OpenSSL. Server administrators can impose additional limits on maximum key length by setting environment variables. See Section 6.6.2, “MySQL Enterprise Encryption Usage and Examples”.For an example showing how to use the return value for generating symmetric keys, see the description of
asymmetric_derive()
.SET @dhp = create_dh_parameters(1024);
create_digest(
digest_type
,str
)Creates a digest from the given string using the given digest type, and returns the digest as a binary string. If digest generation fails, the result is
NULL
.Supported
digest_type
values:'SHA224'
,'SHA256'
,'SHA384'
,'SHA512'
SET @dig = create_digest('SHA512', The quick brown fox');
The resulting digest string is suitable for use with
asymmetric_sign()
andasymmetric_verify()
.