This topic provides an overview of encryption and decryption algorithms used in securing assets, including key lengths and advanced configuration options.
Encryption and decryption algorithm examples
The FF1 encryption and decryption algorithm configuration aligns with that of the encryption and decryption widget. For more configuration information, see Configure encryption transform widget, Configure decryption transform widget.
Encryption and decryption algorithm | Type | Key length | Example |
AES native encryption and decryption | Symmetric encryption | Includes 128 bits (16 bytes), 192 bits (24 bytes), 256 bits (32 bytes) | Plaintext: Content to be desensitized. Ciphertext: YCbL4MLjNM9TZK0KIUJ+SA==. |
DES native encryption and decryption | Symmetric encryption | 64 bits (8 bytes) | Plaintext: Content to be desensitized. Ciphertext: N9ofRKhLAAc+JAbCeHIy6Q==. |
3DES native encryption and decryption | Symmetric encryption | 112 bits (14 bytes), 168 bits (21 bytes) | Plaintext: Content to be desensitized. Ciphertext: bUf8OdUzcY/wlxHlXvsNuw==. |
RSA native public key encryption and decryption | Asymmetric encryption | Includes 1024 bits (128 bytes), 2048 bits (256 bytes), 4096 bits (512 bytes) | Plaintext: Content to be desensitized. Ciphertext: Wpmnp63i8PbbqnIWGOgTv6tGK8CtNLXCkTgT+M4ztzY+hF41YlliASSpUqjzEfHUmSqunyvP64nqeWl+lbhYLYee80MGOnYLwyuekuYSbV/tEb6oXeFJgjxTixhqWxxn7cVTpmiLsm5pnNQDVoBB+l43kBj/OOp1WRM+S3Gz5N0=. |
RSA native private key encryption and decryption | Asymmetric encryption | Includes 1024 bits (128 bytes), 2048 bits (256 bytes), 4096 bits (512 bytes) | Plaintext: Content to be desensitized. Ciphertext: RNZ2yr9tfIPbddVpW1PGHfB3pdwgy3Kt91mc+gk4dHjqpE13KYxRg+Tnaz+ALtJCMjdNLYGNmMPjH7gJ0M+FC1fBKLuC9JfDrQQsJ4L3uoF4eEiNtpO4bbVTjA6xFRCmMAP3eQK2ezENOaFS9vmut86KebYDtXiK1vLhVXUlW/w=. |
FPE reserved format (FF1) | Symmetric encryption | 128 bits (16 bytes), 192 bits (24 bytes), 256 bits (32 bytes) | Plaintext: 313123202211110000, encryption range is 1~18 digits and uses a numeric encryption dictionary. Ciphertext: 578969202211111234. |
FPE reserved format native (FF1) | Symmetric encryption | 128 bits (16 bytes), 192 bits (24 bytes), 256 bits (32 bytes) | Plaintext: daituominneirong. Ciphertext: eodlvvviwwvrphbc. |
SM2 native public key encryption | Asymmetric encryption | 512 bits (64 bytes) | Plaintext: Content to be desensitized. Ciphertext: BIIjRLqkp3awbc+mjA1e772SGSiNKF9emW/2OBs/r+9OEvEM9+iKOZ/aCwaIIWbEOnbrJPsUisA4idwo46/kvdU8njZJcIfc08X/cA2jRfHKI26N+et8hqo37ItP1MFDxIP0qE7eavKvOOa4qdPx3g==. |
SM2 native private key decryption | Asymmetric encryption | 256 bits (32 bytes) | Plaintext: Content to be desensitized. Ciphertext: ArrayIndexOutOfBoundsException: . |
SM4 native encryption and decryption | Symmetric encryption | 128 bits (16 bytes) | Plaintext: Content to be desensitized. Ciphertext: RghOtCYCHJPKhmyCPAnIrg==. |
Advanced configuration ranges for encryption and decryption algorithms
Encryption and decryption algorithm | Pattern | Padding | IV (offset) | Remarks |
AES | ECB | NoPadding | Not supported | The length of encrypted data must be a multiple of 16 |
AES | ECB | PKCS5Padding | Not supported | Recommended |
AES | ECB | PKCS7Padding | Not supported | None |
AES | CBC | NoPadding | The length must be 16 bits | The length of encrypted data must be a multiple of 16 |
AES | CBC | PKCS5Padding | The length must be 16 bits | None |
AES | CBC | PKCS7Padding | The length must be 16 bits | None |
AES | CFB | NoPadding | The length must be 16 bits | None |
AES | CFB | PKCS5Padding | The length must be 16 bits | None |
AES | CFB | PKCS7Padding | The length must be 16 bits | None |
AES | CTR | NoPadding | The length must be 16 bits | None |
AES | CTR | PKCS5Padding | The length must be 16 bits | None |
AES | CTR | PKCS7Padding | The length must be 16 bits | None |
AES | OFB | NoPadding | The length must be 16 bits | None |
AES | OFB | PKCS5Padding | The length must be 16 bits | None |
AES | OFB | PKCS7Padding | The length must be 16 bits | None |
DES | ECB | NoPadding | Not supported | The length of encrypted data must be a multiple of 8 |
DES | ECB | PKCS5Padding | Not supported | Recommended |
DES | ECB | PKCS7Padding | Not supported | None |
DES | CBC | NoPadding | The length must be 8 bits | The length of encrypted data must be a multiple of 16 |
DES | CBC | PKCS5Padding | The length must be 8 bits | None |
DES | CBC | PKCS7Padding | The length must be 8 bits | None |
DES | CFB | NoPadding | The length must be 8 bits | None |
DES | CFB | PKCS5Padding | The length must be 8 bits | None |
DES | CFB | PKCS7Padding | The length must be 8 bits | None |
DES | CTR | NoPadding | The length must be 8 bits | None |
DES | CTR | PKCS5Padding | The length must be 8 bits | None |
DES | CTR | PKCS7Padding | The length must be 8 bits | None |
DES | OFB | NoPadding | The length must be 8 bits | None |
DES | OFB | PKCS5Padding | The length must be 8 bits | None |
DES | OFB | PKCS7Padding | The length must be 8 bits | None |
3DES | ECB | NoPadding | Not supported | The length of encrypted data must be a multiple of 8 |
3DES | ECB | PKCS5Padding | Not supported | Recommended |
3DES | ECB | PKCS7Padding | Not supported | None |
3DES | CBC | NoPadding | The length must be 8 bits | The length of encrypted data must be a multiple of 16 |
3DES | CBC | PKCS5Padding | The length must be 8 bits | None |
3DES | CBC | PKCS7Padding | The length must be 8 bits | None |
3DES | CFB | NoPadding | The length must be 8 bits | None |
3DES | CFB | PKCS5Padding | The length must be 8 bits | None |
3DES | CFB | PKCS7Padding | The length must be 8 bits | None |
3DES | CTR | NoPadding | The length must be 8 bits | None |
3DES | CTR | PKCS5Padding | The length must be 8 bits | None |
3DES | CTR | PKCS7Padding | The length must be 8 bits | None |
3DES | OFB | NoPadding | The length must be 8 bits | None |
3DES | OFB | PKCS5Padding | The length must be 8 bits | None |
3DES | OFB | PKCS7Padding | The length must be 8 bits | None |
SM4 | ECB | NoPadding | Not supported | The length of encrypted data must be a multiple of 16 |
SM4 | ECB | PKCS5Padding | Not supported | Recommended |
SM4 | ECB | PKCS7Padding | Not supported | None |
SM4 | CBC | NoPadding | The length must be 16 bits | The length of encrypted data must be a multiple of 16 |
SM4 | CBC | PKCS5Padding | The length must be 16 bits | None |
SM4 | CBC | PKCS7Padding | The length must be 16 bits | None |
SM4 | CFB | NoPadding | The length must be 16 bits | None |
SM4 | CFB | PKCS5Padding | The length must be 16 bits | None |
SM4 | CFB | PKCS7Padding | The length must be 16 bits | None |
SM4 | CTR | NoPadding | The length must be 16 bits | None |
SM4 | CTR | PKCS5Padding | The length must be 16 bits | None |
SM4 | CTR | PKCS7Padding | The length must be 16 bits | None |
SM4 | OFB | NoPadding | The length must be 16 bits | None |
SM4 | OFB | PKCS5Padding | The length must be 16 bits | None |
SM4 | OFB | PKCS7Padding | The length must be 16 bits | None |
SM2 | None | None | None | None |
RSA | ECB | NoPadding | None | None |
RSA | ECB | PKCS1Padding | None | Recommended |
RSA | ECB | OAEPPadding | None | None |
RSA | NONE | NoPadding | None | None |
RSA | NONE | PKCS1Padding | None | None |
RSA | NONE | OAEPPadding | None | None |
Masking algorithm examples
Masking algorithm | Example |
Bank card number (hidden length) | Plaintext: 6221888200604488888. Ciphertext: ****8888 corresponds to the algorithm |
Chinese name | Plaintext: ZhangSan. Ciphertext: *San corresponds to the algorithm |
Mobile phone (hidden length) | Plaintext: 13512345678. Ciphertext: *** **** **78 corresponds to the algorithm |
Custom mask | Plaintext: '123456789', 1,2,3,4,5,6. Ciphertext: '***2***4***6789' corresponds to the algorithm |
Landline | Plaintext: 075512345678. Ciphertext: 0755********8 corresponds to the algorithm |
Landline (hidden length) | Plaintext: 075512345678. Ciphertext: 0755***8 corresponds to the algorithm |
Bank card number | Plaintext: 6221888200604488888. Ciphertext: ***************8888 corresponds to the algorithm |
Address | Plaintext: 969 **** Road, ***** District, Hangzhou City, Zhejiang Province. Ciphertext: *** District, Hangzhou City, Zhejiang Province corresponds to the algorithm |
ID card number (hidden length) | Plaintext: 1234567890. Ciphertext: 1***0 corresponds to the algorithm |
Birthday | Plaintext: 2019-08-15. Ciphertext: ****-08-15 corresponds to the algorithm |
Plaintext: te**@alibaba-inc.com. Ciphertext: t***@alibaba-inc.com corresponds to the algorithm | |
ID card number | Plaintext: 1234567890. Ciphertext: 1********0 corresponds to the algorithm |
Empty string | Plaintext: randomValue. Ciphertext: corresponds to the algorithm |
Chinese name (name desensitization) | Plaintext: Zhang San. Ciphertext: Zhang* corresponds to the algorithm |
Mobile phone | Plaintext: 13512345678. Ciphertext: *********78 corresponds to the algorithm |
Null value | Plaintext: randomValue. Ciphertext: null (the display of null values varies across databases) corresponds to the algorithm |
Taobao account | Plaintext: Taobao talent001. Ciphertext: Tao***1 corresponds to the algorithm |
Custom mask (custom replacement value) | Plaintext: '123456789', 1,2,***,3,4,###,5,6,%%%. Ciphertext: '***2###4%%%6789' corresponds to the algorithm |
Keyword replacement | Plaintext: "abcdefg", "cd|ef","". Ciphertext: "abg" corresponds to the algorithm |
Hashing desensitization algorithm functions
Hashing desensitization algorithm | Corresponding algorithm/function |
Salted MD5 | The corresponding algorithm is |
Salted SHA384 | The corresponding algorithm is |
Salted SHA256 | The corresponding algorithm is |
SHA512 | The corresponding algorithm is |
SHA256 | The corresponding algorithm is |
Salted SHA512 | The corresponding algorithm is |
Base64 | The corresponding algorithm is |
MD5 | The corresponding algorithm is |
SHA384 | The corresponding algorithm is |
Other algorithm examples
Other algorithms | Example |
Gaussian noise | Plaintext: 100. Ciphertext: 120 corresponds to the algorithm |