|
1 | | -# Encryption functions |
| 1 | +# Encryption user-defined functions |
2 | 2 |
|
3 | | -Percona Server for MySQL 8.0.28-20 adds encryption functions and variables to manage the encryption range. The functions may take an algorithm argument. Encryption converts plaintext into ciphertext using a key and an encryption algorithm. |
| 3 | +The encryption user-defined functions (UDF) let you encrypt and decrypt data. You can choose different encryption algorithms and manage the range of data to encrypt. |
| 4 | + |
| 5 | +## Version updates |
| 6 | + |
| 7 | +Percona Server for MySQL 8.0.40 adds the following: |
| 8 | + |
| 9 | +* Support for `PKCS1 OAEP` padding for RSA encrypt and decrypt operations |
| 10 | + |
| 11 | + <details> |
| 12 | + <summary> `PKCS1 OAEP` padding explanation</summary> |
| 13 | + PKCS1 OAEP (Optimal Asymmetric Encryption Padding) is a cryptographic technique used to add randomness to a message before encryption. This randomness helps to increase the security of the encrypted message. OAEP padding adds a layer of security by making it more difficult for attackers to exploit weaknesses in the encryption algorithm or to recover the original message. |
| 14 | + </details> |
| 15 | + |
| 16 | +* Support for `PKCS1 PSS` padding for RSA sign and verify operations |
| 17 | + |
| 18 | + <details> |
| 19 | + <summary> `PKCS1 PSS` padding explanation</summary> |
| 20 | + PKCS PSS (Probabilistic Signature Scheme) is a cryptographic algorithm used to add randomness to a message before signing it with a private key. This randomness helps to increase the security of the signature and make it more resistant to various attacks. |
| 21 | + </details> |
| 22 | + |
| 23 | +* [`encryption_udf.legacy_paddding_scheme`](#encryption_udflegacy_paddding_scheme) system variable |
| 24 | + |
| 25 | +* Character set awareness |
| 26 | + |
| 27 | +Percona Server for MySQL 8.0.28-20 adds encryption functions and variables to manage the encryption range. |
| 28 | + |
| 29 | +## Charset Awareness |
| 30 | + |
| 31 | +All component_encryption_udf functions now handle character sets intelligently: |
| 32 | + |
| 33 | +• Algorithms, digest names, padding schemes, keys, and parameters in PEM format: Automatically converted to the ASCII charset at the MySQL level before passing to the functions. |
| 34 | + |
| 35 | +• Messages, data blocks, and signatures used for digest calculation, encryption, decryption, signing, or verification: Automatically converted to the binary charset at the MySQL level before passing to the functions. |
| 36 | + |
| 37 | +• Function return values in PEM format: Assigned the ASCII charset. |
| 38 | + |
| 39 | +• Function return values for operations like digest calculation, encryption, decryption, and signing: Assigned the binary charset. |
| 40 | + |
| 41 | +## Use user-defined functions |
4 | 42 |
|
5 | 43 | You can also use the user-defined functions with the PEM format keys generated externally by the OpenSSL utility. |
6 | 44 |
|
@@ -64,7 +102,7 @@ A plaintext as a string. |
64 | 102 |
|
65 | 103 | The following are the function’s parameters: |
66 | 104 |
|
67 | | -* algorithm - the encryption algorithm supports RSA to decrypt the string. |
| 105 | +* algorithm - the encryption algorithm supports RSA to decrypt the string. Percona Server for MySQL 8.0.40 added support for PKCS1 OAEP padding for RSA encrypt operations |
68 | 106 |
|
69 | 107 | * key_str - a string in the PEM format. The key string must have the following attributes: |
70 | 108 |
|
@@ -116,7 +154,7 @@ A signature is a binary string. |
116 | 154 |
|
117 | 155 | The parameters are the following: |
118 | 156 |
|
119 | | -* algorithm - the encryption algorithm supports either RSA or DSA to encrypt the string. |
| 157 | +* algorithm - the encryption algorithm supports either RSA or DSA to encrypt the string. Percona Server for MySQL 8.0.40 added support for PKCS1 PSS padding for RSA sign operations. |
120 | 158 |
|
121 | 159 | * digest_str - the digest binary string that is signed. Invoking create_digest generates the digest. |
122 | 160 |
|
@@ -158,7 +196,7 @@ A `1` (success) or a `0` (failure). |
158 | 196 |
|
159 | 197 | The parameters are the following: |
160 | 198 |
|
161 | | -* algorithm - supports either ‘RSA’ or ‘DSA’. |
| 199 | +* algorithm - supports either ‘RSA’ or ‘DSA’. Percona Server for MySQL 8.0.40 added support for PKCS1 PSS padding for RSA verify operations. |
162 | 200 |
|
163 | 201 | * digest_str - invoking create_digest generates this digest binary string. |
164 | 202 |
|
@@ -308,6 +346,37 @@ The variable sets the threshold limits for create_asymmetric_priv_key user-defin |
308 | 346 |
|
309 | 347 | The range for this variable is from 1,024 to 9,984. The default value is 9,984. |
310 | 348 |
|
| 349 | +### encryption_udf.legacy_paddding_scheme |
| 350 | + |
| 351 | +The variable enables or disables the legacy padding scheme for certain encryption operations. |
| 352 | + |
| 353 | +| Option | Description | |
| 354 | +|--------------|------------------| |
| 355 | +| command-line | Yes | |
| 356 | +| scope | Global | |
| 357 | +| data type | Boolean | |
| 358 | +| default | OFF | |
| 359 | + |
| 360 | +This system variable is a BOOLEAN type and is set to `OFF` by default. |
| 361 | + |
| 362 | +This variable controls how the functions `asymmetric_encrypt()`, `asymmetric_decrypt()`, `asymmetric_sign()`, and `asymmetric_verify()` behave when you don’t explicitly set the padding parameter. |
| 363 | + |
| 364 | +• When encryption_udf.legacy_padding_scheme is OFF: |
| 365 | + |
| 366 | + • asymmetric_encrypt() and asymmetric_decrypt() use OAEP padding. |
| 367 | + |
| 368 | + • asymmetric_sign() and asymmetric_verify() use PKCS1_PSS padding. |
| 369 | + |
| 370 | +• When encryption_udf.legacy_padding_scheme is ON: |
| 371 | + |
| 372 | + • asymmetric_encrypt() and asymmetric_decrypt() use PKCS1 padding. |
| 373 | + |
| 374 | + • asymmetric_sign() and asymmetric_verify() use PKCS1 padding. |
| 375 | + |
| 376 | +The `asymmetric_encrypt()` and `asymmetric_decrypt()` functions accept an extra optional parameter, padding. You can set it to `no`, `pkcs1`, or `oaep`. If you don’t specify this parameter, it defaults based on the `encryption_udf.legacy_padding_scheme` value. Note that when using `OAEP` padding, the maximum message length you can encrypt is <key_size_in_bytes> - 42. The padding parameter is only valid with the RSA algorithm. |
| 377 | + |
| 378 | +Similarly, `asymmetric_sign()` and `asymmetric_verify()` also have an optional padding parameter, which can be either `pkcs1` or `pkcs1_pss`. If not explicitly set, it follows the default based on `encryption_udf.legacy_padding_scheme`. You can only use the padding parameter with RSA algorithms. |
| 379 | + |
311 | 380 | ### encryption_udf.rsa_bits_threshold |
312 | 381 |
|
313 | 382 | The variable sets the threshold limits for the create_asymmetric_priv_key user-defined function when the function is invoked with the RSA parameter and takes precedence over the OpenSSL maximum length value. |
|
0 commit comments