How to Implement Server-Side Encryption in Mapp Intelligence
    • 3 Minutes to read
    • Dark
      Light

    How to Implement Server-Side Encryption in Mapp Intelligence

    • Dark
      Light

    Article summary

    Parameter values that are passed in the pixel request can also be encrypted. Symmetrical encryption methods are used for this purpose. A key is stored in each Mapp account, with the help of which Mapp Intelligence can decrypt the encrypted values.

    How to Implement Server-Side Encryption

    Follow these steps to enable and configure server-side encryption:

    1. Open configuration
      Log in to your Mapp Q3 account and navigate to Configuration > System Configuration > Data Collection

    2. Activate Encryption

      1. Locate the “Encryption” section.

      2. Activate encryption by selecting the appropriate radio button.

    3. Choose an Encryption Algorithm

      Select your preferred encryption algorithm from the following options:

      • BLOWFISH128 (16 characters)

      • AES128

      • RC4128

      The bit length for all keys is uniformly 128 bits. “BLOWFISH” and “AES” use CBC mode with PKCS5 padding. This mode requires a dynamic initialization vector (IV) for encryption and decryption, in addition to the statically stored key. The IV must precede the encrypted value:

      • IV length for “BLOWFISH”: 8 bytes

      • IV length for “AES”: 16 bytes

    4. Enter the Encryption Key

      Input your encryption key into the designated text field.

    5. Save Your Configuration

      Once all settings are configured, ensure you save your changes.

    Additional Recommendations

    • Key Management: Regularly update and securely store your encryption keys to maintain high levels of security.

    • Testing: After configuration, test the encryption setup to ensure that the data is correctly encrypted and decrypted.

    • Documentation: Keep a record of the encryption algorithms and keys used for future reference and troubleshooting.

    Steps to Perform Encryption

    When encrypting a value, follow these steps. Note that if an algorithm without an initialization vector (IV) is used, the corresponding steps related to the IV can be omitted. The output of each step is used as the input for the next:

    1. URL-Encoding

      The value to be encrypted must first be URL-encoded.

    2. Generate Initialization Vector (IV)

      An IV is generated, which is necessary for algorithms like BLOWFISH and AES when operated in CBC mode.

    3. Encrypt the Value

      Use the selected encryption algorithm (e.g., BLOWFISH/CBC/PKCS5Padding) with the generated IV and the encryption key to encrypt the value.

    4. Combine IV and Encrypted Value

      Concatenate the IV and the encrypted value.

    5. Base64 Encoding

      Encode the combined IV and encrypted value using Base64.

    6. Mark the Encrypted Value

      Mark the value as encrypted by surrounding it with ~! at the beginning and !~ at the end.

    7. Pass to Pixel Script

      Pass the marked and encrypted value to the pixel script. The script performs an additional URL-encoding step, which leaves the ~ and ! characters intact.

    Example: Encryption Using Blowfish in Java

    Below is an example in Java 1.6 that demonstrates how to encrypt a value using the Blowfish algorithm:

    // Value to be encrypted
    String value = "Confidential Data";
    // Algorithm
    String algorithmName = "Blowfish";
    String fullAlgorithmName = algorithmName + "/CBC/PKCS5Padding";
    // Key
    String plainKey = "3jdksdz*pd038956";
    
    // Generate Initialization Vector (IV)
    final int ivLen = 8;
    byte[] iv = new byte[ivLen];
    for (byte i = 0; i < ivLen; i++) {
        iv[i] = (byte) (i + 1);
    }
    IvParameterSpec ivSpec = new IvParameterSpec(iv, 0, ivLen);
    
    // URL-encode the value
    String urlEncodedValue = URLEncoder.encode(value, "UTF-8");
    BASE64Encoder base64Encoder = new BASE64Encoder();
    
    // Encrypt the value
    Cipher encryptCipher = Cipher.getInstance(fullAlgorithmName);
    SecretKey secretKey = new SecretKeySpec(plainKey.getBytes(), algorithmName);
    encryptCipher.init(Cipher.ENCRYPT_MODE, secretKey, ivSpec);
    byte[] cryptBytes = encryptCipher.doFinal(urlEncodedValue.getBytes());
    
    // Combine IV and Encrypted Value
    byte[] encryptionUnit = new byte[iv.length + cryptBytes.length];
    System.arraycopy(iv, 0, encryptionUnit, 0, iv.length);
    System.arraycopy(cryptBytes, 0, encryptionUnit, iv.length, cryptBytes.length);
    
    // Base64 encode the combined value
    final String base64EncodedUnit = base64Encoder.encode(encryptionUnit);
    
    // Mark the encrypted text
    final String startSequence = "~!";
    final String endSequence = "!~";
    final String markedUnit = startSequence + base64EncodedUnit + endSequence;
    
    // The value of "markedUnit" should now be passed to the pixel script (which will URL-encode it, leaving "~" and "!" intact)

    In this example:

    • Initialization Vector (IV): A static IV is generated for demonstration purposes, but it should typically be generated randomly for each encryption.

    • Base64 Encoding: The combined IV and encrypted value are Base64 encoded to make them URL-safe.

    • Marking: The resulting value is marked with ~! at the beginning and !~ at the end to indicate it is encrypted.

    This value should then be passed to the pixel script, which will perform any additional necessary processing.


    Was this article helpful?