[CryptoAPI] Encrypted data size?

[CryptoAPI] Encrypted data size?

Forge Component
Published on 2015-11-29 by Ricardo Silva
4 votes
Published on 2015-11-29 by Ricardo Silva
Is there a way to know the maximum length of the encrypted data, for example in case of the Deterministic encryption actions.
On a project we need to encrypt all the data. If we have a text field, with length 20, by what number do we need to multiply that length, to make sure that we enlarge it enough so that the encrypted value fits as well?
Hello Tim,

The size of the encrypted text is deterministic since I don't compress the plaintext before encryption or anything.

For Deterministic encryption, the binary representation is (16 bytes + NextMultipleOf16( lengthOfPlaintext). Add to this the size of base64 encoding the text, which explodes every 3 bytes to 4 bytes, so it adds 33% to the size of the text (rounded up).

So for your case of length 20 plaintext, it would be (16 + 20 + 12)*1.33= 63.8 -> 64 bytes. You gain nothing in having a 20 byte length vs a 32 byte length plaintext.

For completeness, the math for the Random Encryption schema is:

(16 + NextMultipleOf16(plaintext) + 32 )*1.33

In your case, it would amount to a maximum of 108 (from 106.4) bytes encrypted text.

Edit: bad initial math, corrected the base64 bloating.
Awesome explanation, thank you.
If you are encrypting ALL the data you would probably be much better off using the built-in database features for this instead of dealing with each field one at a time.  It should also eliminate the concern about field sizes.  Check out the following post which mentions SQL Server Transparent Data Encryption (TDE) (I'm sure there is an Oracle equivalent) when I asked a related question.

We're using Oracle, and we were considering using something similar. When we asked Outsystems Support whether this was supported, the official answer was: "this was never tested before". ;-)