GENERATE ENCRYPTION KEYPAIR

The GENERATE ENCRYPTION KEYPAIR command generates a new pair of RSA keys. The security system offered in 4D is based on keys designed to encrypt/decrypt information. They can be used within the TLS/SSL protocol, with 4D Web server (encryption and secured communications) and in all databases (for data encryption).

Once the command has been executed, the BLOBs passed in privKey and pubKey parameters contain a new pair of encryption keys.

The optional parameter length can be used to set the key size (in bits). The larger the key, the more difficult it is to break the encryption code.

However, large keys require longer execution or reply time, especially within a secured connection.

By default (if the length parameter is omitted), the generated key size is set to 512 bits, which is a good compromise for the security/efficiency ratio. To increase the security factor, you can change keys more often, for example every six months.You can generate 2048 bits keys to increase the encryption security but the Web application connections will be slowed down.

This command will generate keys in PKCS format encoded in base64, which means that their content can be copied/pasted in an email without any change. Once the pair of keys has been generated, a text document in PEM format can be produced (using the BLOB TO DOCUMENT command for example) and the keys can be stored in a safe place.

Warning: The private key should always be kept secret.

The RSA cipher used by GENERATE ENCRYPTION KEYPAIR is based on a double key encryption system: a private key and a public key. As indicated by its name, the public key can be given to a third person and used to decrypt information. The public key is matched with a unique private key, used to encrypt the information. Thus, the private key is used for encryption; the public key for decryption (or vice versa). The information encrypted with one key can only be decrypted with the other one.

The TLS/SSL protocol encryption functionalities are based on this principle, the public key being included in the certificate sent to the browsers (for more information, see the section Using TLS Protocol).

This encryption mode is also used by the first syntax of the ENCRYPT BLOB and DECRYPT BLOB commands. The public key should be confidentially published.

It is possible to mix the public and private keys from two persons to encrypt information so that the recipient is the only person to be able to decrypt them and the sender is the only person to have encrypted them. This principle is given by the second syntax of the two ENCRYPT BLOB and DECRYPT BLOB commands.

See example for the ENCRYPT BLOB command.