3DES support

Article

Yuri Marx · Mar 30, 2022 9m read

Open Exchange

#Security #InterSystems Ideas Portal #InterSystems IRIS

There are several ways of classifying cryptographic algorithms: 1) Secret Key Cryptography (SKC) - Uses a single key for both encryption and decryption. It is also called symmetric encryption. Primarily, it was used for privacy and confidentiality; 2) Public Key Cryptography (PKC) - Uses one key for encryption and another one for decryption. It is also called asymmetric encryption. Initially, it was utilised for authentication, non-repudiation, and key exchange; 3) Hash Functions - Uses a mathematical transformation to irreversibly "encrypt" information, providing a digital fingerprint. Originally, it was employed for message integrity. The InterSystems IRIS supports encryption algorithms in all the above-mentioned categories. However, the 3DES (Triple DES) algorithm, many popular and based on SKC, is not supported by the %SYSTEM.Encryption class. The IRIS support for Embedded Python allows using the Python language to support 3DES through the Python package pyDes (https://pypi.org/project/pyDes/). In this article, we will demonstrate to you how it works.

Get the 3DES sample application

To get the sample and run it, follow these steps:

Go to the https://openexchange.intersystems.com/package/crypto-iris and click Download to go to the git repository.
Clone the project: git clone https://github.com/yurimarx/crypto-iris.git.
Go to the project folder crypto-iris.
Do the build: docker-compose build.
Execute the containers: docker-compose up -d.
Check in your docker desktop with the instances if everything is ok:

Interface gráfica do usuário, Texto, Aplicativo, Email Descrição gerada automaticamente

Try to encrypt some texts using IRIS Terminal

1. Attach shell to crypto-iris docker instance:

2. In terminal execute iris session iris:

3. Change to IRISAPP namespace:

4. Encrypt and Decrypt a message:

Try to encrypt some texts using ObjectScript CryptoService class

1. From any ObjectScript class call ##class(dc.crypto.CryptoService).Do3DESEncryptation("YOURMESSAGE") to encrypt.
2. From any ObjectScript class call ##class(dc.crypto.CryptoService).Do3DESDecryptation("YOURMESSAGE") to decrypt.

Try to encrypt and decrypt some texts using Postman

1. Go to your Postman (or another similar REST client) and configure the request as shown in this image to encrypt:

Method: POST
URL: http://localhost:52773/crypto-iris/encrypt
Body: raw

2. Click send and get a text encrypted as a binary hex message
3. Go to your Postman (or another similar REST client) and configure the request as indicated in this image to decrypt:

Method: POST
URL: http://localhost:52773/crypto-iris/decrypt
Body: raw

4. Click send and get a text decrypted as a string message

Python and ObjectScript code supporting 3DES

Docker File
The Dockerfile installs python and pyDes package, copies the source file, creates the SECRETKEY which will be used as the private key on encryption and runs IRIS.

Dockerfile

Class dc.crypto.CryptoService
This class implements Encrypt3DES and Decrypt3DES python methods to encrypt and decrypt strings. To do that, it imports triple_des, CBC and PAD_PKCS5 to do string encryption and decryption. The binaascii package is imported to return the encrypted string as ASCII hexadecimal string, resolving possible Unicode problems.

CrytoService class

The triple_des python method returns the class to encrypt and decrypt texts. Note that the size of the key was limited to 24 positions and IV to 8.

Class dc.crypto.CryptoRESTApp
This class exposes encryption and decryption services as REST services.

CryptoRESTApp

Class dc.crypto.CryptoRESTApp Extends %CSP.REST

{

Parameter CHARSET = "utf-8";

Parameter CONVERTINPUTSTREAM = 1;

Parameter CONTENTTYPE = "application/json";

Parameter Version = "1.0.0";

Parameter HandleCorsRequest = 1;

XData UrlMap [ XMLNamespace = "http://www.intersystems.com/urlmap" ]

{

</Routes>

}

/// Encrypt message

ClassMethod EncryptMessage() As %Status

{

Try {

Set Message = $ZCONVERT(%request.Content.Read(),"I","UTF8")

Set Response = ##class(dc.crypto.CryptoService).Do3DESEncryptation(Message)

Set %response.Status = 200

Set %response.Headers("Access-Control-Allow-Origin")="*"

Write Response

Return $$$OK

} Catch err {

write !, "Error name: ", ?20, err.Name,

!, "Error code: ", ?20, err.Code,

!, "Error location: ", ?20, err.Location,

!, "Additional data: ", ?20, err.Data, !

Return $$$NOTOK

}

/// Decrypt messages

ClassMethod DecryptMessage() As %Status

{

Try {

Set Message = $ZCONVERT(%request.Content.Read(),"I","UTF8")

Set Response = ##class(dc.crypto.CryptoService).Do3DESDecryptation(Message)

Set %response.Status = 200

Set %response.Headers("Access-Control-Allow-Origin")="*"

Write Response

Return $$$OK

} Catch err {

write !, "Error name: ", ?20, err.Name,

!, "Error code: ", ?20, err.Code,

!, "Error location: ", ?20, err.Location,

!, "Additional data: ", ?20, err.Data, !

Return $$$NOTOK

}

/// General information

ClassMethod GetInfo() As %Status

{

SET version = ..#Version

SET fmt=##class(%SYS.NLS.Format).%New("ptbw")

SET info = {

"Service": "3DES Service API",

"version": (version),

"Developer": "Yuri Gomes",

"Status": "Ok",

"Date": ($ZDATETIME($HOROLOG))

}

Set %response.ContentType = ..#CONTENTTYPEJSON

Set %response.Headers("Access-Control-Allow-Origin")="*"

Write info.%ToJSON()

Quit $$$OK

}

ClassMethod SwaggerSpec() As %Status

{

Set tSC = ##class(%REST.API).GetWebRESTApplication($NAMESPACE, %request.Application, .swagger)

Do swagger.info.%Remove("x-ISC_Namespace")

Set swagger.basePath = "/iris-tts"

Set swagger.info.title = "TTS Service API"

Set swagger.info.version = "1.0"

Set swagger.host = "localhost:52773"

Return ..%ProcessResult($$$OK, swagger)

}

ClassMethod %ProcessResult(pStatus As %Status = {$$$OK}, pResult As %DynamicObject = "") As %Status [ Internal ]

{

#dim %response As %CSP.Response

SET tSC = $$$OK

IF $$$ISERR(pStatus) {

SET %response.Status = 500

SET tSC = ..StatusToJSON(pStatus, .tJSON)

IF $isobject(tJSON) {

SET pResult = tJSON

} ELSE {

SET pResult = { "errors": [ { "error": "Unknown error parsing status code" } ] }

}

ELSEIF pStatus=1 {

IF '$isobject(pResult){

SET pResult = {

}

ELSE {

SET %response.Status = pStatus

SET error = $PIECE(pStatus, " ", 2, *)

SET pResult = {

"error": (error)

}

IF pResult.%Extends("%Library.DynamicAbstractObject") {

WRITE pResult.%ToJSON()

}

ELSEIF pResult.%Extends("%JSON.Adaptor") {

DO pResult.%JSONExport()

}

ELSEIF pResult.%Extends("%Stream.Object") {

DO pResult.OutputToDevice()

}

QUIT tSC

}

Modes of operation supported with 3DES

Our sample used CBC mode, but the 3DES also operates the following modes:

ECB:	Electronic Code Book (ECB)	The most basic but also the weakest mode of operation. Each block of plaintext is encrypted independently of any other block.
CBC:	Cipher-Block Chaining (CBC)	It is a mode of operation where each plaintext block gets XOR-ed with the previous ciphertext block prior to encryption.
CFB:	Cipher FeedBack (CFB)	It is a mode of operation which turns the block cipher into a stream cipher. Each byte of plaintext is XOR-ed with a byte taken from a keystream: the result is the ciphertext.
OFB:	Output FeedBack (OFB)	It is another mode that leads to a stream cipher. Each byte of plaintext is XOR-ed with a byte taken from a keystream: the result is the ciphertext. The keystream is obtained by recursively encrypting the Initialization Vector.
CTR:	CounTer Mode (CTR)	This mode turns the block cipher into a stream cipher. Each byte of plaintext is XOR-ed with a byte taken from a keystream: the result is the ciphertext. The keystream is generated by encrypting a sequence of counter blocks with ECB.

More details on: https://pycryptodome.readthedocs.io/en/latest/src/cipher/des3.html
To get more information about Triple DES visit: https://en.wikipedia.org/wiki/Triple_DES