Encrypt

Encrypts a string. This is useful for interacting with third‑party systems or for hiding URL parameters.

Encrypt(Value, Key [, Algorithm [, Randomize [, AuthenticationTag]]]) As String

An empty Value string encrypts to a non-empty value which decrypts back to an empty string.

The encryption key used to encrypt the value. The key must be a string of bytes that has been Base64 encoded. The required length of that byte string depends on the encryption algorithm used. For example:

(Optional) The encryption algorithm to use; the only supported encryption algorithm is AES-128 (Advanced Encryption Standard). The key must be 16 bytes long before Base64 encoding.

(Optional.) True generates a different encrypted value every time you process a string, even if it is the same string. The encrypted value is longer, because it includes information about the randomization used, so that it can be decrypted.

False generates the same encrypted value when you encrypt the same string.

True includes extra information in the encrypted value which enables the Decrypt function to detect if the value has been changed. This makes the encrypted value longer.

Returns the encrypted version of the string that is specified by the Value parameter.

Dim EncryptionKey, EncryptedResult
EncryptionKey = Base64Encode("e12zXyp04@jIcdMc")
EncryptedResult = Encrypt("ID976543", EncryptionKey)

The encryption is performed in such a way that it should be possible for external systems to generate encrypted values that can be decrypted by the Decrypt function, and to decrypt values that have been encrypted by the Encrypt function.

The format of the encrypted value is:

+ means concatenation of bytes.

The HeaderByte is defined as:

▪Bits 0 – 5: Algorithm identifier. 1 = AES-128. (All other values are currently undefined and reserved for future use.)

▪Bit 7: 1 = Authentication tag is included; 0 = Authentication tag is absent.

The AuthenticationTag and IV values are optional; they are controlled by the Randomize and AuthenticationTag parameters of the Encrypt function.

The authentication tag is calculated as a SHA-256 HMAC:

▪If the IV value is included, the HMAC is calculated over a sequence of bytes consisting of the HeaderByte, IV, and CipherText.

▪If the IV value is not included, the HMAC is calculated over a sequence of bytes consisting of only the HeaderByte and the CipherText.

The length of the AuthenticationTag value is always 256-bits.

If Randomize is requested, a random initialization vector (IV) is generated and included in the output value. The IV value used is stored in the output value so that it can be used when the value is decrypted. If Randomization is not required, a fixed IV value is used. The Base64 encoded representation of that fixed value is ¡°06AiKJFH4s5jqQUfKRIvOQ==¡±.

The length of the IV value depends on the encryption algorithm used (currently, it is always 128-bits).

The CipherText value is the UTF-8 encoded input value after encryption by the specified encryption algorithm. The only supported value is AES-128, which is 128‑bit AES using the CBC block mode and PKCS7 padding. The IV value used as input to the encryption is either a fixed value or a randomly generated value (see above).

The output of the Encrypt function is generated by concatenating the HeaderByte, AuthenticationTag (if required), IV (if required), and CipherText; and then Base64‑encoding that byte sequence. This results in a simple string that can be, for example, stored in a database or passed as a URL parameter.

During decryption, the input value is Base64‑decoded back into a byte sequence.

The HeaderByte indicates if the AuthenticationTag and IV values are present, and therefore how to break the byte sequence into individual values.

If the AuthenticationTag is present, the original SHA-256 HMAC calculation is repeated, and then the result is compared against the AuthenticationTag value that was originally calculated and included in the encrypted value.

If the calculated AuthenticationTag is different, this means that the encrypted value has been changed since it was encrypted.

The HeaderByte specifies the decryption algorithm to use (currently, this is always AES-128.) The CipherText can then be decrypted by using either the supplied or fixed IV value with the known or supplied key.