BookmarkSubscribeRSS Feed

Variable-value encryption in SAS

Started ‎07-11-2022 by
Modified ‎07-14-2022 by
Views 889

Hi all!

I've been programming with SAS in my job for 6 years. One thing I miss in Base SAS is the functionality of encrypting a single value or a collection of them, like a variable in a dataset. I'm not talking about hashing a variable, nor encrypting the entire dataset...I want to genuinely encrypt and decrypt values, using some encryption scheme, as defined in the Password-Based Cryptography Specificaton, aka PKCS #5

 

I have initiated a project to develop code (100% SAS code) to implement this functionality. For now, the basic AES algorithm for encrypting and decrypting basic 128 bits-lengh blocks is done. You can encrypt them with a single macro call:

 

/* Message to be encrypted */
%let message=00112233445566778899aabbccddeeff;
%put NOTE: Original message: &message;

/* Encryption with a 128-bit key */
%let key128=000102030405060708090a0b0c0d0e0f;
%let cryptogram128=%cipherAES(&message, &key128);
%put NOTE: Message encrypted with 128-bit key: &cryptogram128;

and then decrypt with another call:

 

/* Decryption with a 128-bit key */
%let messageDecrypted128=%invCipherAES(&cryptogram128, &key128);
%put NOTE: Message decrypted with 128-bit key: &messageDecrypted128;

The encryption key can have 3 lengths: 128, 192 and 256 bit, according to the AES:

 

/* Encryption with a 192-bit key */
%let key192=000102030405060708090a0b0c0d0e0f1011121314151617;
%let cryptogram192=%cipherAES(&message, &key192);
%put NOTE: Message encrypted with 192-bit key: &cryptogram192;

/* Encryption with a 256-bit key */
%let key256=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f;
%let cryptogram256=%cipherAES(&message, &key256);
%put NOTE: Message encrypted with 256-bit key: &cryptogram256;

These macros are, in fact, macrofunctions, but they can encrypt the N values of a dataset variable too:

 

/* Compute cryptograms and store them in macrovar */
proc sql noprint;
	select '%cipherAES('||m||','||k||')' into :cryptograms separated by ' ' from testMessages;
quit;

The project is a work in progress. To be fully functional, at least one of the encryption Schemes defined in the PKCS #5 specification must be fully implemented. For this purpose, it will be needed at least:

With that elements implemented, the implementation of the AES-CBC-Pad would be complete.

For now, the AES protocol implementation is all I have done. The project can be found here:

 

https://github.com/AlexBennasar/Crypto-SAS 

 

Maybe this project will be interesting/useful for somebody.

 

EDIT 14/07/2022

The Password-Based Key Derivation Function (PBKDF2) is now implemented, for now with only one pseudorandom function (PRF), the HMAC-SHA256.

 

As an example of use, we derive here a key given a password, a salt, an iteration count (number of rounds to perform), and the desired derived key length:

 

/* Password */
%let password=%str(//superSecretPW***);
/* Salt */
%let salt=12a5bc669820edc56710bbf55210aaed;
/* Number of rounds */
%let iCount=1024;
/* Pseudorandom function */
%let PRF=%str(hmac-sha256);
/* Length in bytes of the derived key */
%let derivedKeyLength=32;

/* Key derivation */
%let derivedKey=%PBKDF2(&password, &salt, &iCount, &PRF, &derivedKeyLength);
%put NOTE: Derived key: &derivedKey;

You can check the code and the example here: Crypto-SAS/PBKDF2 

Version history
Last update:
‎07-14-2022 03:37 AM
Updated by:
Contributors

Ready to join fellow brilliant minds for the SAS Hackathon?

Build your skills. Make connections. Enjoy creative freedom. Maybe change the world. Registration is now open through August 30th. Visit the SAS Hackathon homepage.

Register today!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Tags