Rechercher dans le manuel MySQL

12.19.2 MySQL Enterprise Encryption Usage and Examples

Table des matières

To use MySQL Enterprise Encryption in applications, invoke the functions that are appropriate for the operations you wish to perform. This section demonstrates how to carry out some representative tasks:

Create a private/public key pair using RSA encryption

  1. -- Encryption algorithm; can be 'DSA' or 'DH' instead
  2. SET @algo = 'RSA';
  3. -- Key length in bits; make larger for stronger keys
  4. SET @key_len = 1024;
  5.  
  6. -- Create private key
  7. SET @priv = CREATE_ASYMMETRIC_PRIV_KEY(@algo, @key_len);
  8. -- Derive corresponding public key from private key, using same algorithm
  9. SET @pub = CREATE_ASYMMETRIC_PUB_KEY(@algo, @priv);

Now you can use the key pair to encrypt and decrypt data, sign and verify data, or generate symmetric keys.

Table des matières Haut

Use the private key to encrypt data and the public key to decrypt it

This requires that the members of the key pair be RSA keys.

  1. SET @ciphertext = ASYMMETRIC_ENCRYPT(@algo, 'My secret text', @priv);
  2. SET @plaintext = ASYMMETRIC_DECRYPT(@algo, @ciphertext, @pub);

Conversely, you can encrypt using the public key and decrypt using the private key.

  1. SET @ciphertext = ASYMMETRIC_ENCRYPT(@algo, 'My secret text', @pub);
  2. SET @plaintext = ASYMMETRIC_DECRYPT(@algo, @ciphertext, @priv);

In either case, the algorithm specified for the encryption and decryption functions must match that used to generate the keys.

Table des matières Haut

Generate a digest from a string

  1. -- Digest type; can be 'SHA256', 'SHA384', or 'SHA512' instead
  2. SET @dig_type = 'SHA224';
  3.  
  4. -- Generate digest string
  5. SET @dig = CREATE_DIGEST(@dig_type, 'My text to digest');

Table des matières Haut

Use the digest with a key pair

The key pair can be used to sign data, then verify that the signature matches the digest.

  1. -- Encryption algorithm; could be 'DSA' instead; keys must
  2. -- have been created using same algorithm
  3. SET @algo = 'RSA';
  4.  
  5. -- Generate signature for digest and verify signature against digest
  6. SET @sig = ASYMMETRIC_SIGN(@algo, @dig, @priv, @dig_type);
  7. -- Verify signature against digest
  8. SET @verf = ASYMMETRIC_VERIFY(@algo, @dig, @sig, @pub, @dig_type);

Table des matières Haut

Create a symmetric key

This requires DH private/public keys as inputs, created using a shared symmetric secret. Create the secret by passing the key length to CREATE_DH_PARAMETERS(), then pass the secret as the key length to CREATE_ASYMMETRIC_PRIV_KEY().

  1. -- Generate DH shared symmetric secret
  2. SET @dhp = CREATE_DH_PARAMETERS(1024);
  3. -- Generate DH key pairs
  4. SET @algo = 'DH';
  5. SET @priv1 = CREATE_ASYMMETRIC_PRIV_KEY(@algo, @dhp);
  6. SET @pub1 = CREATE_ASYMMETRIC_PUB_KEY(@algo, @priv1);
  7. SET @priv2 = CREATE_ASYMMETRIC_PRIV_KEY(@algo, @dhp);
  8. SET @pub2 = CREATE_ASYMMETRIC_PUB_KEY(@algo, @priv2);
  9.  
  10. -- Generate symmetric key using public key of first party,
  11. -- private key of second party
  12. SET @sym1 = ASYMMETRIC_DERIVE(@pub1, @priv2);
  13.  
  14. -- Or use public key of second party, private key of first party
  15. SET @sym2 = ASYMMETRIC_DERIVE(@pub2, @priv1);

Key string values can be created at runtime and stored into a variable or table using SET, SELECT, or INSERT:

  1. SET @priv1 = CREATE_ASYMMETRIC_PRIV_KEY('RSA', 1024);
  2. SELECT CREATE_ASYMMETRIC_PRIV_KEY('RSA', 1024) INTO @priv2;
  3. INSERT INTO t (key_col) VALUES(CREATE_ASYMMETRIC_PRIV_KEY('RSA', 1024));

Key string values stored in files can be read using the LOAD_FILE() function by users who have the FILE privilege.

Digest and signature strings can be handled similarly.

Table des matières Haut

Limit CPU usage by key-generation operations

The CREATE_ASYMMETRIC_PRIV_KEY() and CREATE_DH_PARAMETERS() encryption functions take a key-length parameter, and the amount of CPU resources required by these functions increases as the key length increases. For some installations, this might result in unacceptable CPU usage if applications frequently generate excessively long keys.

OpenSSL imposes a minimum key length of 1,024 bits for all keys. OpenSSL also imposes a maximum key length of 10,000 bits and 16,384 bits for DSA and RSA keys, respectively, for CREATE_ASYMMETRIC_PRIV_KEY(), and a maximum key length of 10,000 bits for CREATE_DH_PARAMETERS(). If those maximum values are too high, three environment variables are available to enable MySQL server administrators to set lower maximum lengths for key generation, and thereby to limit CPU usage:

  • MYSQL_OPENSSL_UDF_DSA_BITS_THRESHOLD: Maximum DSA key length in bits for CREATE_ASYMMETRIC_PRIV_KEY(). The minimum and maximum values for this variable are 1,024 and 10,000.

  • MYSQL_OPENSSL_UDF_RSA_BITS_THRESHOLD: Maximum RSA key length in bits for CREATE_ASYMMETRIC_PRIV_KEY(). The minimum and maximum values for this variable are 1,024 and 16,384.

  • MYSQL_OPENSSL_UDF_DH_BITS_THRESHOLD: Maximum key length in bits for CREATE_DH_PARAMETERS(). The minimum and maximum values for this variable are 1,024 and 10,000.

To use any of these environment variables, set them in the environment of the process that starts the server. If set, their values take precedence over the maximum key lengths imposed by OpenSSL. For example, to set a maximum key length of 4,096 bits for DSA and RSA keys for CREATE_ASYMMETRIC_PRIV_KEY(), set these variables: 

export MYSQL_OPENSSL_UDF_DSA_BITS_THRESHOLD=4096
export MYSQL_OPENSSL_UDF_RSA_BITS_THRESHOLD=4096

The example uses Bourne shell syntax. The syntax for other shells may differ.


Rechercher dans le manuel MySQL

Traduction non disponible

Le manuel MySQL n'est pas encore traduit en français sur l'infobrol. Seule la version anglaise est disponible pour l'instant.

Document créé le 26/06/2006, dernière modification le 26/10/2018
Source du document imprimé : https://www.gaudry.be/mysql-rf-enterprise-encryption-usage.html

L'infobrol est un site personnel dont le contenu n'engage que moi. Le texte est mis à disposition sous licence CreativeCommons(BY-NC-SA). Plus d'info sur les conditions d'utilisation et sur l'auteur.

Références

  1. Consulter le document html Langue du document :en Manuel MySQL : https://dev.mysql.com/

Ces références et liens indiquent des documents consultés lors de la rédaction de cette page, ou qui peuvent apporter un complément d'information, mais les auteurs de ces sources ne peuvent être tenus responsables du contenu de cette page.
L'auteur de ce site est seul responsable de la manière dont sont présentés ici les différents concepts, et des libertés qui sont prises avec les ouvrages de référence. N'oubliez pas que vous devez croiser les informations de sources multiples afin de diminuer les risques d'erreurs.

Table des matières Haut