3

I have an integration with another system which I should use the AES Algorithm.The Encryption is made in SF side - and sent in the header of an HTTP request. This made to recognize SF in internal services which won't whitelist 1M IPs. They use ECB Algorithm but I understood that SF does not support this method.

I have two methods that I can use to encrypt:

  1. with initialization vector (IV):
    Blob cryptoKey = Blob.valueOf('1234567891234567');
    String binaryString = EncodingUtil.base64Encode(cryptoKey);
    System.debug(EncodingUtil.base64Encode(cryptoKey));
    Blob data = Blob.valueOf('some Text to encrypt');
    Blob MY_IV = Blob.valueOf('0987654321098765'); 
    Blob encrypted = Crypto.encrypt('AES128', cryptoKey,MY_IV, data);
  1. with managed IV:
    Blob cryptoKey = Blob.valueOf('1234567891234567');
    Blob data = Blob.valueOf('some Text to encryped');
    Blob encrypted = Crypto.encryptWithManagedIV('AES128', cryptoKey, data);

My questions are:

  1. If I am using the second method with the managed IV, I get the plaintext with kind of gibberish at the beginning of the text when decrypted. Why it happens and how can I solve it?

  2. is there another algorithm that can serve my needs instead of AES?

  3. Is there any link or example of how can I make my own encryption?

  4. Is there any workaround to make the ECB in apex?

many thanks.

identigral
  • 7,543
  • 29
  • 32
  • 42
Salvation
  • 1,177
  • 3
  • 24
  • 60

2 Answers2

2

  1. See Encrypting and/or decrypting ciphertext with the provided Initialization Vector (IV)

  2. You didn't describe your needs very well. You said

this made to recognize SF in internal services which won't whitelist 1M IPs

If your goal is to have the target system verify the caller, then implement oAuth JWT Bearer flow on the target side. SF supports manufacturing of JWT for this flow via Named Credential out of the box - see Named Credentials - What is the difference between JWT & JWT Token Exchange for details

3+4: The Crypto class only supports AES with CBC mode. Rolling your own encryption in Apex is pretty much a dead end. A workaround for AES/ECB is to encrypt on the client side in Javascript, you can connect that to your Apex class. Other encryption algorithms may be available in JS and they'll certainly be available if you create a service that acts as a middleware/proxy (running somewhere outside of Salesforce)

Glorfindel
  • 405
  • 1
  • 7
  • 12
identigral
  • 7,543
  • 29
  • 32
  • 42
  • Hi! Thanks for your answer! Is there a way to get the IV if I'm using the encryptWithManagedIV method? The other System waits to something like that : XCSqgFHnTKiO6BJy4pgHQ==uAaVpnuwSkVaXNcs2AZtUT== Where the left side including the "==" is the autoIv with base64 format and the right side is the encrypted Text. many thanks! – Salvation Sep 05 '19 at 15:44
  • 1
    If you use encryptWithManagedIV on SF side, the other system will need to extract the IV from ciphertext by removing the first 16 bytes after base64 decoding the string into its binary represenation. The linked example in bullet 1 above shows how this can be done in Salesforce. – identigral Sep 05 '19 at 16:00
  • Excellent! Thank you for your help – Salvation Sep 08 '19 at 08:28
  • HI @identigral - sorry for back to this post again. I just wanted to know if the same manipulation of the bytes as you did to get the IV (the first 16 bytes) - How it can be done when you using encryption with not a random IV but with your IV that was determined in advance (Instead using encryptWithManagedIV --- I will useing just encrypt and send the IV param also) I want to know it because I should send the next format: "IV == CipherText". When I tried to do so with the same way - It didn't work. many Thanks – Salvation Sep 18 '19 at 07:13
  • 1
    With your own IV (Crypto.encrypt(...) method) - since ciphertext no longer contains the IV, you don't need to manipulate the ciphertext. The other party will decrypt it with your IV (that you'll send them) and the key. – identigral Sep 18 '19 at 14:41
  • Thanks for your time! Very appreciated!!! – Salvation Sep 19 '19 at 07:36
0

I have the same issue (AES 128 cypher mode ECB) to decrypt and encrypt data for an API but because I show the data on screen, I used CryptoJS on LWC and It works perfect!.

Leandro Petri
  • 1
  • 1