IBM PureData System for Analytics, Version 7.1

The encrypt() and decrypt() functions

The encrypt() and decrypt() functions encrypt or decrypt the input varchar or nvarchar by using the supplied key.

Encryption is the process of transforming data to maintain its secrecy; the data can be read (unencrypted) only if the recipient has the required key. The IBM® Netezza® implementation uses symmetric encryption, also known as private or secret key encryption, because the same secret key is used to encrypt and to decrypt data. This means that this secret key must be made available on any server that is decrypting previously encrypted data. You can choose which symmetric encryption algorithm the function uses to encrypt/decrypt the data, either Advanced Encryption Standard (AES) or RC4.

Private key encryption is more secure than public key encryption because all public key encryption schemes are susceptible to brute force key search attacks. But private key encryption depends on maintaining the secrecy of the key, so periodically change the private key and take steps to ensure that it cannot be discovered in use, in storage, or in distribution (see the description of the key argument later in the topic for Netezza-specific security recommendations).

Note: This is field level encryption, not database encryption.

Description

The encrypt() function has the following syntax:
varchar = encrypt(varchar text, varchar key [, int algorithm 
          [, varchar IV]]);
nvarchar = encrypt(nvarchar text, nvarchar key [, int algorithm 
          [, varchar IV]]);
The decrypt() function has the following syntax:
varchar = decrypt(varchar text, varchar key [, int algorithm 
          [, varchar IV]]);
nvarchar = decrypt(nvarchar text, nvarchar key [, int algorithm
          [, varchar IV]]);

The text value specifies the value to be encrypted/decrypted.

The key value specifies the key to use to encrypt/decrypt the value. Care must be taken to secure the key or else the security is compromised. Keep in mind the architecture of the Netezza system when designing your security system:
  • SQL functions are logged in the pg.log file on the Netezza host so executing encrypt(secret_column, 'my_secret_key') reveals your key to anyone who can read the pg.log file.
  • ODBC/JDBC conversations are easily captured with any number of diagnostic/hacking tools. If your key is transmitted as part of the SQL, it can be compromised during this process.
For these reasons, store the secret key in a table and pass the key into the encrypt/decrypt functions through a table join. For example:
SELECT decrypt(a.value, b.key) FROM my_table a, my_keys b WHERE 
b.key_id = 1;
The algorithm value can be either RC4 or one of the versions of AES, as shown in the following list:
0
RC4 (default if no algorithm given)
1
AES 128
2
AES 192
3
AES 256

RC4, although the most widely used encryption algorithm (used for example by SSL and WEP), is not cryptographically secure and is vulnerable to attacks.

The Advanced Encryption Standard (AES) is the encryption standard adopted by the United States government and is required for all classified information. The three versions of AES differ only in the design and strength of the key lengths. While all three key lengths are sufficient to protect classified information up to the SECRET level, TOP SECRET information requires the use of 192 or 256 key lengths.

The IV value specifies the initialization vector used to encrypt or decrypt the value. You can specify the IV only when using the AES algorithms. (The RC4 algorithm does not use the IV value.) If you do not specify IV, the encrypt() and decrypt() functions use a constant IV value.

Encryption with OFB mode requires the IV and key to be 128 bits. As a best practice, specify 128-bit values for key and IV (if used) so that the system uses your input values. If a value is less than or greater than 128 bits, the system uses an expansion or derivation mechanism to adjust the value as follows:

Note: If you embed or call an encrypt function within an encrypt function, the result is a cleartext string. For example:
select encrypt(encrypt('abcde', 'k1', 1), 'k1', 1);
  encrypt
 ---------
  abcde
 (1 row)

Returns

The function returns an encrypted/decrypted value. The SQL Extensions Toolkit uses the output feedback (OFB) mode of AES for encryption and decryption, which makes a block cipher into a synchronous stream cipher. As a stream cipher, there is no padding requirement for OFB and the length of the output ciphertext is the same as the input plaintext. For example:
select encrypt('123456',100,0);
 ENCRYPT
---------
 ÉôC¥Ñ
(1 row)

 select encrypt('Netezza Systems','NPS001534',1,'MY_IV is IBM001');
     ENCRYPT
-----------------
 �Ná•▒7Þ¢bhñæ
(1 row)

Key and IV Generation

You can use the hash() and rawtohex() functions to generate keys and IVs. The hash() function returns a 128-bit, 160-bit, or 256-bit hash of the input data, depending on the algorithm input for the function. The following example shows how to create a 256-bit key for AES encryption. In the example, the MYKEY output is intentionally truncated using "..." characters to display within the page boundary. 

create table impData (cname varchar(35),cid varchar(20));
CREATE TABLE

insert into impData values('Netezza Systems','CNZ0001SYS');
INSERT 0 1

create table securedImpData as select cid, rawtohex(hash(cid,2))
 as mykey, encrypt(cname, rawtohex(hash(cid,2)),2) as ENCRYPTED_CNAME from impData;
INSERT 0 1

select * from securedImpData;
    CID     |                    MYKEY                        | ENCRYPTED_CNAME
------------+-------------------------------------------------+-----------------
 CNZ0001SYS | 8D812C9E8DB362FCB20E...6A00B564175B92762B1A3520 | Ã4W§
      wÂÃð
ŸÃ
(1 row)

create table decryptedData as select CID, decrypt(ENCRYPTED_CNAME,
MYKEY,2) as DECRYPTED_CNAME from securedImpData;
INSERT 0 1

select * from decryptedData;
    CID     | DECRYPTED_CNAME
------------+-----------------
 CNZ0001SYS | Netezza Systems
(1 row)
Parent topic: Data transformation functions

Feedback | Copyright IBM Corporation 2014 | Last updated: 2014-02-28