AES Task

Properties   Config Settings  

The AES Task can be used to encrypt and decrypt data for regular transport.

Remarks

The AES Task contains an encoder and a decoder that receive SSIS ADO tables from the SSIS Package and perform cryptographic operations on the data. The encoder will produce an encrypted file that the decoder can then decrypt, making it possible to add secure storage to your business process.

Configuration

Since AES is a symmetric-key algorithm, the settings for the Encode operations and Decode operations are the exact same.

First set the KeySize to determine the strength of the cipher to be used. Next, set the KeyPassword to allow the task to generate the cryptographic Key and IV. Alternatively, you may set the Key and IV properties directly. Note that the same password may be used for the encoder and decoder to generate the same key and IV.

You can change how the cryptography is performed by setting the CipherMode and PaddingMode properties.

Encoder Property List


The following is the full list of the properties of the encoder task with short descriptions. Click on the links for further details.

AdditionalAuthDataAdditional authentication data (AAD) used in GCM mode.
CipherModeControls how the task uses the IV to modify the cipher algorithm.
InputFileThe full path to the input file.
IVThe initialization vector used by the CipherMode to modify the ciphertext.
KeyThe raw key used by the cipher.
KeyPasswordA password used by the task to generate the Key and IV .
KeySizeThe size of the Key .
OtherDefines a set of configuration settings to be used by the task.
OutputFileThe full path to the output file.
PaddingModeUsed by the cipher to pad the last block of input text.
RuntimeLicenseSpecifies the component runtime license key.

Decoder Property List


The following is the full list of the properties of the decoder task with short descriptions. Click on the links for further details.

AdditionalAuthDataAdditional authentication data (AAD) used in GCM mode.
CipherModeControls how the task uses the IV to modify the cipher algorithm.
InputFileThe full path to the input file.
IVThe initialization vector used by the CipherMode to modify the ciphertext.
KeyThe raw key used by the cipher.
KeyPasswordA password used by the task to generate the Key and IV .
KeySizeThe size of the Key .
OtherDefines a set of configuration settings to be used by the task.
OutputFileThe full path to the output file.
PaddingModeUsed by the cipher to pad the last block of input text.
RuntimeLicenseSpecifies the component runtime license key.

Config Settings


The following is a list of config settings for the task with short descriptions. Click on the links for further details.

AuthTagLengthThe authentication tag length used in GCM mode.
EncryptedDataEncodingThe encoding of the encrypted input or output data.
IncludeIVWhether to prepend the IV to the output data and read the IV from the input data.
KeyPasswordAlgorithmThe hash algorithm used to derive the Key and IV from the KeyPassword property.
KeyPasswordIterationsThe number of iterations performed when using KeyPassword to derive the Key and IV.
KeyPasswordSaltThe salt value used in conjunction with the KeyPassword to derive the Key and IV.

AdditionalAuthData Property (AES Task)

Additional authentication data (AAD) used in GCM mode.

Data Type

String

Default Value

""


Remarks

This setting optionally specifies additional authentication data. The data specified must be hex encoded. This is only applicable when CipherMode is set to 6 (cmGCM). This may be set prior to encryption or decryption.

Note that AAD data is authenticated but not encrypted, so it is not included in the output message.

CipherMode Property (AES Task)

Controls how the task uses the IV to modify the cipher algorithm.

Data Type

Enumeration

Possible Values

CBC (1)
ECB (2)
OFB (3)
CFB (4)
CTS (5)
8OFB (6)
8CFB (7)
GCM (8)


Default Value

1


Remarks

CipherMode can be used to allow the task to use an initialization vector (IV) to manipulate the output from the cipher. This can add several degrees of security to the basic cipher algorithm.

CBC - Cipher Block ChainingEach block of data output by the cipher is XOR'd with the next block of plaintext to change the input. The IV is used as the first block.
ECB - Electronic CodebookThis is the basic cipher algorithm. The value of the IV will be ignored.
OFB - Output FeedbackThe output of each cipher call is XOR'd with the plaintext to produce the ciphertext and the same output is used as the input for the next cipher call. The IV is used as the first input block.
CFB - Cipher FeedbackEach block of ciphertext is encrypted again and XOR'd with the plaintext to produce the next block of ciphertext. The IV is used as the first input block.
CTS - Cipher Text StealingHandles any length of plain text and produces cipher text whose length matches the plain text length. This mode behaves like the CBC mode for all but the last two blocks of the plain text.
8OFB - 8-bit Output FeedbackOFB cipher in 8-bit mode.
8CFB - 8-Bit Cipher FeedbackCFB cipher in 8-bit mode.
GCM - Galois/Counter ModeEach input block is counted, and the current value of the counter is sent through the block cipher. The output of the block cipher is XOR'd with the corresponding plaintext block to form the ciphertext.

Note: the default cipher mode is CBC as it provides a very strong layer of added security for a minimum of extra CPU power.

InputFile Property (AES Task)

The full path to the input file.

Data Type

String

Default Value

""


Remarks

The task will AES encrypt or decrypt the file specified by this property.

IV Property (AES Task)

The initialization vector used by the CipherMode to modify the ciphertext.

Data Type

String

Default Value

""


Remarks

The IV is an initialization vector used by the CipherMode to modify the ciphertext output by the task. This can add several degrees of security to the cipher.

Key Property (AES Task)

The raw key used by the cipher.

Data Type

String

Default Value

""


Remarks

The Key is a master key used to create the set of encryption and decryption keys that can be used by the cipher. Note that the same key must be used for the encoder and decoder in order to correctly decrypt the encrypted data.

KeyPassword Property (AES Task)

A password used by the task to generate the Key and IV .

Data Type

Password

Default Value

""


Remarks

The task can use the KeyPassword to fill in the values of Key and IV using the PKCS5 password digest algorithm. The size of the Key generated is dependent on the value of KeySize.

KeySize Property (AES Task)

The size of the Key .

Data Type

Enumeration

Possible Values

128 (128)
196 (192)
256 (256)


Default Value

256


Remarks

KeySize can be used to change the size of the key generated when the KeyPassword is set. If Key is set directly, KeySize will reflect the size of that key. The size of the key also determines the strength of the cipher algorithm:

  • weak - 128 bits
  • medium - 192 bits
  • strong - 256 bits

Note: the default key size is 256 to ensure the maximum cipher strength.

Other Property (AES Task)

Defines a set of configuration settings to be used by the task.

Data Type

String

Default Value

""


Remarks

The task accepts one or more configuration settings. These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the task, access to these internal properties is provided through the Other property.

The Other property may be set to one or more configuration settings (name/value pairs). Set one setting per line. For example: configname1=value1 configname2=value2

OutputFile Property (AES Task)

The full path to the output file.

Data Type

String

Default Value

""


Remarks

The output of the encrypt or decrypt operation will be written to the file specified by this property.

PaddingMode Property (AES Task)

Used by the cipher to pad the last block of input text.

Data Type

Enumeration

Possible Values

None (1)
PKCS7 (2)
Zeros (3)
ANSIX923 (4)
ISO10126 (5)


Default Value

2


Remarks

PaddingMode is used by the cipher to pad the final input block to guarantee that it is the correct size required for the cipher's input. Each mode pads the data differently:

NoneNo padding will be performed.
PKCS7The data is padded with by a series of bytes that are each equal to the number of bytes used (eg: 03 03 03)
ZerosThe data is padded by several null bytes (eg: 00 00 00).
ANSIX923The data is padded by a sequence of null bytes followed by the number of bytes in the padding.
ISO10126The data is padded by a sequence of random bytes followed by the number of bytes in the padding.

Note: unless the length of input is an exact multiple of the cipher's input block size (16 bytes for AES), the final block of plaintext may be lost if None is used. In order to avoid this, the default PaddingMode is PKCS7.

RuntimeLicense Property (AES Task)

Specifies the component runtime license key.

Data Type

String

Default Value

""


Remarks

You can use the RuntimeLicense property to set the runtime key for the task license.

Config Settings (AES Task)

The task accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the task, access to these internal properties is provided through the Other property.

AES Config Settings

AuthTagLength:   The authentication tag length used in GCM mode.

This setting is only applicable when CipherMode is set to 8 (cmGCM). The default value is 128. Valid values are

  • 96
  • 104
  • 112
  • 120
  • 128 (default)
EncryptedDataEncoding:   The encoding of the encrypted input or output data.

This configuration setting specifies how the encrypted data is encoded (if at all).

When Encrypt is called the task will perform the encryption as normal and then encode the output as specified here. OutputMessage or OutputFile will hold the encoded data.

When Decrypt is called the task will expect InputMessage or InputFile to hold the encoded data as specified here. The task will then decode the data and perform decryption as normal.

Possible values are:

  • 0 (none - default)
  • 1 (Base64)
  • 2 (Hex)
  • 3 (Base64URL)

IncludeIV:   Whether to prepend the IV to the output data and read the IV from the input data.

If this config is true, the IV will be automatically prepended to the output data when encrypting. When decyrpting and this setting is True, the IV is automatically extracted form the ciphertext. The default value is False.

KeyPasswordAlgorithm:   The hash algorithm used to derive the Key and IV from the KeyPassword property.

This configuration setting specifies which hash algorithm will be used when deriving the Key and IV from KeyPassword. The default value is "MD5". Possible values are:

  • "SHA1"
  • "MD2"
  • "MD5" (default)
  • "HMAC-SHA1"
  • "HMAC-SHA224"
  • "HMAC-SHA256"
  • "HMAC-SHA384"
  • "HMAC-SHA512"
  • "HMAC-MD5"
  • "HMAC-RIPEMD160"

When using any HMAC algorithm the PBKDF#2 method from RFC 2898 is used. Any other algorithm uses PBKDF#1 from the same RFC.

KeyPasswordIterations:   The number of iterations performed when using KeyPassword to derive the Key and IV.

This configuration setting specifies the number of iterations performed when using KeyPassword to calculate values for Key and IV. When using PBKDF#2 the default number of iterations is 10,000. When using PBKDF#1 the default number is 10.

KeyPasswordSalt:   The salt value used in conjunction with the KeyPassword to derive the Key and IV.

This configuration setting specifies the hex encoded salt value to be used along with the KeyPassword when calculating values for Key and IV.