- 3 Minutes to read
- Print
- DarkLight
How to Implement Server-Side Encryption in Mapp Intelligence
- 3 Minutes to read
- Print
- DarkLight
Parameter values that are passed in the pixel request can also be encrypted. Symmetrical encryption methods are used for this purpose. A key is stored in each Mapp account, with the help of which Mapp Intelligence can decrypt the encrypted values.
How to Implement Server-Side Encryption
Follow these steps to enable and configure server-side encryption:
Open configuration
Log in to your Mapp Q3 account and navigate to Configuration > System Configuration > Data CollectionActivate Encryption
Locate the “Encryption” section.
Activate encryption by selecting the appropriate radio button.
Choose an Encryption Algorithm
Select your preferred encryption algorithm from the following options:
BLOWFISH128 (16 characters)
AES128
RC4128
The bit length for all keys is uniformly 128 bits. “BLOWFISH” and “AES” use CBC mode with PKCS5 padding. This mode requires a dynamic initialization vector (IV) for encryption and decryption, in addition to the statically stored key. The IV must precede the encrypted value:
IV length for “BLOWFISH”: 8 bytes
IV length for “AES”: 16 bytes
Enter the Encryption Key
Input your encryption key into the designated text field.
Save Your Configuration
Once all settings are configured, ensure you save your changes.
Additional Recommendations
Key Management: Regularly update and securely store your encryption keys to maintain high levels of security.
Testing: After configuration, test the encryption setup to ensure that the data is correctly encrypted and decrypted.
Documentation: Keep a record of the encryption algorithms and keys used for future reference and troubleshooting.
Steps to Perform Encryption
When encrypting a value, follow these steps. Note that if an algorithm without an initialization vector (IV) is used, the corresponding steps related to the IV can be omitted. The output of each step is used as the input for the next:
URL-Encoding
The value to be encrypted must first be URL-encoded.
Generate Initialization Vector (IV)
An IV is generated, which is necessary for algorithms like BLOWFISH and AES when operated in CBC mode.
Encrypt the Value
Use the selected encryption algorithm (e.g., BLOWFISH/CBC/PKCS5Padding) with the generated IV and the encryption key to encrypt the value.
Combine IV and Encrypted Value
Concatenate the IV and the encrypted value.
Base64 Encoding
Encode the combined IV and encrypted value using Base64.
Mark the Encrypted Value
Mark the value as encrypted by surrounding it with ~! at the beginning and !~ at the end.
Pass to Pixel Script
Pass the marked and encrypted value to the pixel script. The script performs an additional URL-encoding step, which leaves the ~ and ! characters intact.
Example: Encryption Using Blowfish in Java
Below is an example in Java 1.6 that demonstrates how to encrypt a value using the Blowfish algorithm:
// Value to be encrypted
String value = "Confidential Data";
// Algorithm
String algorithmName = "Blowfish";
String fullAlgorithmName = algorithmName + "/CBC/PKCS5Padding";
// Key
String plainKey = "3jdksdz*pd038956";
// Generate Initialization Vector (IV)
final int ivLen = 8;
byte[] iv = new byte[ivLen];
for (byte i = 0; i < ivLen; i++) {
iv[i] = (byte) (i + 1);
}
IvParameterSpec ivSpec = new IvParameterSpec(iv, 0, ivLen);
// URL-encode the value
String urlEncodedValue = URLEncoder.encode(value, "UTF-8");
BASE64Encoder base64Encoder = new BASE64Encoder();
// Encrypt the value
Cipher encryptCipher = Cipher.getInstance(fullAlgorithmName);
SecretKey secretKey = new SecretKeySpec(plainKey.getBytes(), algorithmName);
encryptCipher.init(Cipher.ENCRYPT_MODE, secretKey, ivSpec);
byte[] cryptBytes = encryptCipher.doFinal(urlEncodedValue.getBytes());
// Combine IV and Encrypted Value
byte[] encryptionUnit = new byte[iv.length + cryptBytes.length];
System.arraycopy(iv, 0, encryptionUnit, 0, iv.length);
System.arraycopy(cryptBytes, 0, encryptionUnit, iv.length, cryptBytes.length);
// Base64 encode the combined value
final String base64EncodedUnit = base64Encoder.encode(encryptionUnit);
// Mark the encrypted text
final String startSequence = "~!";
final String endSequence = "!~";
final String markedUnit = startSequence + base64EncodedUnit + endSequence;
// The value of "markedUnit" should now be passed to the pixel script (which will URL-encode it, leaving "~" and "!" intact)
In this example:
Initialization Vector (IV): A static IV is generated for demonstration purposes, but it should typically be generated randomly for each encryption.
Base64 Encoding: The combined IV and encrypted value are Base64 encoded to make them URL-safe.
Marking: The resulting value is marked with ~! at the beginning and !~ at the end to indicate it is encrypted.
This value should then be passed to the pixel script, which will perform any additional necessary processing.