Documentation Home
MySQL 5.7 Reference Manual
Related Documentation Download this Manual
PDF (US Ltr) - 35.0Mb
PDF (A4) - 35.1Mb
Man Pages (TGZ) - 255.4Kb
Man Pages (Zip) - 360.2Kb
Info (Gzip) - 3.4Mb
Info (Zip) - 3.4Mb
Excerpts from this Manual

MySQL 5.7 Reference Manual  /  ...  /  MySQL Enterprise Encryption Function Descriptions

6.6.4 MySQL Enterprise Encryption Function Descriptions

MySQL Enterprise Encryption functions have these general characteristics:

  • For arguments of the wrong type or an incorrect number of arguments, each function returns an error.

  • If the arguments are not suitable to permit a function to perform the requested operation, it returns NULL or 0 as appropriate. This occurs, for example, if a function does not support a specified algorithm, a key length is too short or long, or a string expected to be a key string in PEM format is not a valid key. (OpenSSL imposes its own key-length limits, and server administrators can impose additional limits on maximum key length by setting environment variables. See Section 6.6.2, “MySQL Enterprise Encryption Usage and Examples”.)

  • The underlying SSL library takes care of randomness initialization.

Several of the functions take an encryption algorithm argument. The following table summarizes the supported algorithms by function.

Table 6.37 Supported Algorithms by Function


Note

Although you can create keys using any of the RSA, DSA, or DH encryption algorithms, other functions that take key arguments might accept only certain types of keys. For example, asymmetric_encrypt() and asymmetric_decrypt() accept only RSA keys.

The following descriptions describe the calling sequences for MySQL Enterprise Encryption functions. For additional examples and discussion, see Section 6.6.2, “MySQL Enterprise Encryption Usage and Examples”.

  • asymmetric_decrypt(algorithm, crypt_str, key_str)

    Decrypts an encrypted string using the given algorithm and key string, and returns the resulting plaintext as a binary string. If decryption fails, the result is NULL.

    key_str must be a valid key string in PEM format. For successful decryption, it must be the public or private key string corresponding to the private or public key string used with asymmetric_encrypt() to produce the encrypted string. algorithm indicates the encryption algorithm used to create the key.

    Supported algorithm values: 'RSA'

    For a usage example, see the description of asymmetric_encrypt().

  • asymmetric_derive(pub_key_str, priv_key_str)

    Derives a symmetric key using the private key of one party and the public key of another, and returns the resulting key as a binary string. If key derivation fails, the result is NULL.

    pub_key_str and priv_key_str must be valid key strings in PEM format. They must be created using the DH algorithm.

    Suppose that you have two pairs of public and private keys:

    SET @dhp = create_dh_parameters(1024);
    SET @priv1 = create_asymmetric_priv_key('DH', @dhp);
    SET @pub1 = create_asymmetric_pub_key('DH', @priv1);
    SET @priv2 = create_asymmetric_priv_key('DH', @dhp);
    SET @pub2 = create_asymmetric_pub_key('DH', @priv2);

    Suppose further that you use the private key from one pair and the public key from the other pair to create a symmetric key string. Then this symmetric key identity relationship holds:

    asymmetric_derive(@pub1, @priv2) = asymmetric_derive(@pub2, @priv1)
  • asymmetric_encrypt(algorithm, str, key_str)

    Encrypts a string using the given algorithm and key string, and returns the resulting ciphertext as a binary string. If encryption fails, the result is NULL.

    The str length cannot be greater than the key_str length − 11, in bytes

    key_str must be a valid key string in PEM format. algorithm indicates the encryption algorithm used to create the key.

    Supported algorithm values: 'RSA'

    To encrypt a string, pass a private or public key string to asymmetric_encrypt(). To recover the original unencrypted string, pass the encrypted string to asymmetric_decrypt(), along with the public or private key string correponding to the private or public key string used for encryption.

    -- Generate private/public key pair
    SET @priv = create_asymmetric_priv_key('RSA', 1024);
    SET @pub = create_asymmetric_pub_key('RSA', @priv);
    
    -- Encrypt using private key, decrypt using public key
    SET @ciphertext = asymmetric_encrypt('RSA', 'The quick brown fox', @priv);
    SET @plaintext = asymmetric_decrypt('RSA', @ciphertext, @pub);
    
    -- Encrypt using public key, decrypt using private key
    SET @ciphertext = asymmetric_encrypt('RSA', 'The quick brown fox', @pub);
    SET @plaintext = asymmetric_decrypt('RSA', @ciphertext, @priv);

    Suppose that:

    SET @s = a string to be encrypted
    SET @priv = a valid private RSA key string in PEM format
    SET @pub = the corresponding public RSA key string in PEM format

    Then these identity relationships hold:

    asymmetric_decrypt('RSA', asymmetric_encrypt('RSA', @s, @priv), @pub) = @s
    asymmetric_decrypt('RSA', asymmetric_encrypt('RSA', @s, @pub), @priv) = @s
  • asymmetric_sign(algorithm, digest_str, priv_key_str, digest_type)

    Signs a digest string using a private key string, and returns the signature as a binary string. If signing fails, the result is NULL.

    digest_str is the digest string. It can be generated by calling create_digest(). digest_type indicates the digest algorithm used to generate the digest string.

    priv_key_str is the private key string to use for signing the digest string. It must be a valid key string in PEM format. algorithm indicates the encryption algorithm used to create the key.

    Supported algorithm values: 'RSA', 'DSA'

    Supported digest_type values: 'SHA224', 'SHA256', 'SHA384', 'SHA512'

    For a usage example, see the description of asymmetric_verify().

  • asymmetric_verify(algorithm, digest_str, sig_str, pub_key_str, digest_type)

    Verifies whether the signature string matches the digest string, and returns 1 or 0 to indicate whether verification succeeded or failed.

    digest_str is the digest string. It can be generated by calling create_digest(). digest_type indicates the digest algorithm used to generate the digest string.

    sig_str is the signature string. It can be generated by calling asymmetric_sign().

    pub_key_str is the public key string of the signer. It corresponds to the private key passed to asymmetric_sign() to generate the signature string and must be a valid key string in PEM format. algorithm indicates the encryption algorithm used to create the key.

    Supported algorithm values: 'RSA', 'DSA'

    Supported digest_type values: 'SHA224', 'SHA256', 'SHA384', 'SHA512'

    -- Set the encryption algorithm and digest type
    SET @algo = 'RSA';
    SET @dig_type = 'SHA224';
    
    -- Create private/public key pair
    SET @priv = create_asymmetric_priv_key(@algo, 1024);
    SET @pub = create_asymmetric_pub_key(@algo, @priv);
    
    -- Generate digest from string
    SET @dig = create_digest(@dig_type, 'The quick brown fox');
    
    -- Generate signature for digest and verify signature against digest
    SET @sig = asymmetric_sign(@algo, @dig, @priv, @dig_type);
    SET @verf = asymmetric_verify(@algo, @dig, @sig, @pub, @dig_type);
  • create_asymmetric_priv_key(algorithm, {key_len|dh_secret})

    Creates a private key using the given algorithm and key length or DH secret, and returns the key as a binary string in PEM format. If key generation fails, the result is NULL.

    Supported algorithm values: 'RSA', 'DSA', 'DH'

    Supported key_len values: The minimum key length in bits is 1,024. The maximum key length depends on the algorithm: 16,384 for RSA and 10,000 for DSA. These key-length limits are constraints imposed by OpenSSL. Server administrators can impose additional limits on maximum key length by setting environment variables. See Section 6.6.2, “MySQL Enterprise Encryption Usage and Examples”.

    For DH keys, pass a shared DH secret instead of a key length. To create the secret, pass the key length to create_dh_parameters().

    This example creates a 2,048-bit DSA private key, then derives a public key from the private key:

    SET @priv = create_asymmetric_priv_key('DSA', 2048);
    SET @pub = create_asymmetric_pub_key('DSA', @priv);

    For an example showing DH key generation, see the description of asymmetric_derive().

    Some general considerations in choosing key lengths and encryption algorithms:

    • The strength of encryption for private and public keys increases with the key size, but the time for key generation increases as well.

    • Generation of DH keys takes much longer than RSA or RSA keys.

    • Asymmetric encryption functions are slower than symmetric functions. If performance is an important factor and the functions are to be used very frequently, you are better off using symmetric encryption. For example, consider using AES_ENCRYPT() and AES_DECRYPT().

  • create_asymmetric_pub_key(algorithm, priv_key_str)

    Derives a public key from the given private key using the given algorithm, and returns the key as a binary string in PEM format. If key derivation fails, the result is NULL.

    priv_key_str must be a valid key string in PEM format. algorithm indicates the encryption algorithm used to create the key.

    Supported algorithm values: 'RSA', 'DSA', 'DH'

    For a usage example, see the description of create_asymmetric_priv_key().

  • create_dh_parameters(key_len)

    Creates a shared secret for generating a DH private/public key pair and returns a binary string that can be passed to create_asymmetric_priv_key(). If secret generation fails, the result is null.

    Supported key_len values: The minimum and maximum key lengths in bits are 1,024 and 10,000. These key-length limits are constraints imposed by OpenSSL. Server administrators can impose additional limits on maximum key length by setting environment variables. See Section 6.6.2, “MySQL Enterprise Encryption Usage and Examples”.

    For an example showing how to use the return value for generating symmetric keys, see the description of asymmetric_derive().

    SET @dhp = create_dh_parameters(1024);
  • create_digest(digest_type, str)

    Creates a digest from the given string using the given digest type, and returns the digest as a binary string. If digest generation fails, the result is NULL.

    Supported digest_type values: 'SHA224', 'SHA256', 'SHA384', 'SHA512'

    SET @dig = create_digest('SHA512', The quick brown fox');

    The resulting digest string is suitable for use with asymmetric_sign() and asymmetric_verify().