GENERATE ENCRYPTION KEYPAIR

version 6.7

GENERATE ENCRYPTION KEYPAIR (privKey; pubKey{; length})

The GENERATE ENCRYPTION KEYPAIR command generates a new pair of RSA keys. The security system offered in 4D is based on keys designed to encrypt/decrypt information. They can be used within the SSL protocol, with 4D Web server (encryption and secured communications) and in all databases (for data encryption).

Once the command has been executed, the BLOBs passed in privKey and pubKey parameters contain a new pair of encryption keys.

The optional parameter length can be used to set the key size (in bits). The larger the key, the more difficult it is to break the encryption code.

However, large keys require longer execution or reply time, especially within a SSL connection.

By default (if the length parameter is omitted), the generated key size is set to 512 bits, which is a good compromise for the security/efficiency ratio. To increase the security factor, you can change keys more often, for example every six months.

You can generate 1024 bits keys to increase the encryption security but the Web application connections will be slowed down.

Notes:

• If you generate keys in order to establish a SSL certificate request, pay attention to the fact that only 512 bits and 1024 bits key length are admitted.

• Many browsers will not accept keys with a length greater than 512 bits. Additionaly, the "Export" version of the encryption system library which is provided by default by 4D, Inc., does not provide support for key length greater than 512 bits. For more information, please refer to the section Using SSL Protocol).

This command will generate keys at the PKCS format, which means that their content can be copied/pasted in an email without any change. Once the pair of keys has been generated, a text document can be produced (using the BLOB TO DOCUMENT command for example) and the keys can be stored in a safe place.

Warning: The private key should always be kept secret.

The RSA cipher used by GENERATE ENCRYPTION KEYPAIR is based on a double key encryption system: a private key and a public key. As indicated by its name, the public key can be given to a third person and used to decrypt information. The public key is matched with a unique private key, used to encrypt the information. Thus, the private key is used for encryption; the public key for decryption (or vice versa). The information encrypted with one key can only be decrypted with the other one.

The SSL protocol encryption functionalities are based on this principle, the public key being included in the certificate sent to the browsers (for more information, see the section Using SSL Protocol).

This encryption mode is also used by the first syntax of the ENCRYPT BLOB and DECRYPT BLOB commands. The public key should be confidentially published.

It is possible to mix the public and private keys from two persons to encrypt information so that the recipient is the only person to be able to decrypt them and the sender is the only person to have encrypted them. This principle is given by the two commands ENCRYPT BLOB and DECRYPT BLOB second syntax.

See example for command ENCRYPT BLOB.

DECRYPT BLOB, ENCRYPT BLOB, GENERATE CERTIFICATE REQUEST.