Implementing Encryption and Decryption Functions via API in Business Central

In Microsoft Dynamics 365 Business Central, securing sensitive data like passwords is crucial for protecting both businesses and customers. By the end of this post, you will understand how passwords are encrypted before being stored and decrypted only when necessary. This ensures that passwords remain secure, minimizing exposure and building trust.

1. Storing Encrypted Passwords

Passwords are encrypted before being stored in the database to ensure they are protected. This prevents anyone from accessing passwords in plain text, even if they gain unauthorized access to the database. Here's an example of how a custom table, CFSCustomPage, stores encrypted passwords using the EncodePassword procedure.

In the above code, the password is encrypted before being stored in the database to ensure the data remains secure. The EncodePassword procedure is used for encrypting the password.

2. Decrypting Passwords When Needed

When passwords need to be retrieved, they are decrypted using the DecodePassword procedure. This ensures that passwords are only accessible when required, minimizing exposure. Here's the decryption function:

In the above code, passwords are decrypted only when needed, allowing the system to securely handle sensitive data.

3. Returning Decrypted Passwords via API

For external systems or applications requiring access to customer data, Business Central ensures that passwords are only decrypted and transmitted securely via API. This way, customer information remains protected throughout the process. Here’s how the API Page CFSCustPageAPI handles this:

The API exposes the encrypted password and only decrypts it when accessed securely through the API.

4. Returning Decrypted Passwords in a List Page

Passwords can also be decrypted and displayed in a list page when necessary, ensuring they are only shown to authorized users. This is done using the DecodePassword function in the page CFSCustomPage, as shown below:

This page allows authorized users to view encrypted passwords, MD5, SHA1, SHA512, and AES encrypted passwords, and also decrypt them when necessary.

5. Best Practices for Password Security

• Encrypt Passwords: Always encrypt passwords in the database to keep them secure.

• Limit Decryption: Decrypt passwords only when necessary, and restrict access to trusted users.

• Secure Transmission: Use HTTPS to transmit decrypted passwords, ensuring they are protected during transmission.

6. Encryption Types Used in the System

Here are the different types of encryption and hashing methods used in Business Central:

1. MD5 Hashing:

   • MD5 (Message Digest Algorithm 5) produces a 128-bit hash and is commonly used for integrity checks. However, it is considered insecure for cryptographic purposes due to vulnerabilities.

2. SHA-1 Hashing:

   • SHA-1 (Secure Hash Algorithm 1) produces a 160-bit hash. While it was widely used, it is now considered insecure because of vulnerabilities that allow collisions (two different inputs producing the same hash).

3. SHA-512 Hashing:

   • SHA-512 is part of the SHA-2 family and produces a 512-bit hash. It is widely used for secure data integrity and is recommended for password hashing due to its strength.

4. AES Encryption (Advanced Encryption Standard):

   • AES is a symmetric encryption algorithm used for securely encrypting sensitive data. It uses the same key for both encryption and decryption. AES supports multiple key sizes, including 128, 192, and 256 bits. It is widely considered secure and is commonly used for encrypting passwords.

5. Base64 Encoding:

   • Base64 encoding is used to convert binary data (like encryption keys) into ASCII text, making it easier to transmit over text-based protocols like HTTP. It is often used to encode the encryption key and initialization vector (IV) in AES encryption.

Conclusion

By encrypting passwords and decrypting them only when necessary, Business Central ensures that sensitive customer data is stored securely and handled responsibly. This approach not only helps businesses protect their users' data but also builds trust by ensuring customers' information is never exposed unnecessarily. By using various encryption and hashing methods such as MD5, SHA-1, SHA-512, and AES, you can choose the level of security required for your specific use case, ensuring robust data protection for all users.

This updated blog now incorporates the latest code changes, encryption methods, and security best practices, offering a more detailed explanation of how encryption is applied to password security in Business Central.