Table of contents

- Modules
- Error Handling
- About key, IV, and nonce encoding
- Conversion from Cryptography Data type

i | Text Block |

- This documentation is valid for:
- GeneXus 18 Help
- GeneXus 17 Help
- GeneXus 16 Help

It is also known as __Secret Key Cryptography.__

The main characteristic of symmetric cryptography is that it uses the same __shared__ key to encrypt and decrypt messages.

The key must be shared over another secure channel.

It is used for:

- Transmission of a message over an insecure channel
- Secure storage on insecure media
- Authentication
- Integrity checks.

The symmetric encryption algorithms are classified as block ciphers or stream ciphers based on its input type.

* "A block cipher is a deterministic algorithm operating on fixed-length groups of bits, called a block, with an unvarying transformation that is specified by a symmetric key. (...) are a means of effectively improving security by combining simple operations such as substitutions and permutations. Iterated product ciphers carry out encryption in multiple rounds, each of which uses a different subkey derived from the original key." *(Source)

Block ciphers need an IV - Initialization Vector to combine and initialize the first block. It should be used combined with a secure mode of operation and padding.

The block cipher's algorithm actually describes how to process a block, and the mode of operation describes how to apply the block cipher to a sequence of blocks to encrypt an uncertain amount of input data. There are various modes of operation, each one with its own advantages and disadvantages. Some of them are no longer secure.

The padding scheme defines some data to add somewhere in the message to mask the predictability that could be contained in the original message, therefore, adding complexity to the encryption. More complex paddings are usually more secure.

*A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream, to give a digit of the ciphertext stream. Since encryption of each digit is dependent on the current state of the cipher, it is also known as state cipher. In practice, a digit is typically a *

Stream ciphers are computationally cheaper and faster ciphers but are usually not as secure as block ciphers.

Algorithm | Status |
---|---|

Two-key TDEA Encryption | Disallowed |

Two-key TDEA Decryption | Legacy use |

Three-key TDEA Encryption |
Deprecated through 2023 Disallowed after 2023 |

Three-key TDEA Decryption | Legacy use |

SKIPJACK Encryption | Disallowed |

SKIPJACK Decryption | Legacy use |

AES-128 Encryption and Decryption | Acceptable |

AES-192 Encryption and Decryption | Acceptable |

AES-256 Encryption and Decryption | Acceptable |

__Acceptable__: is used to mean that the algorithm and key length in a FIPS or SP are safe to use; no security risk is currently known when used in accordance with any associated guidance.__Deprecated__: means that the algorithm and key length may be used, but the user must accept some security risk.__Disallowed__: means that the algorithm or key length is no longer allowed for applying cryptographic protection.

- Testing for weak encryption (OWASP)
- OWASP's Cryptographic Storage Cheat Sheet
- NIST Transitioning the Use of Cryptographic Algorithms and Key Lengths