Skip to Content
Technical Articles

SAP CPI : Data masking through Encryption technique in Groovy Script

  1. Data Masking aka data obfuscation, is a process to hide data. The primary function of masking data is to protect sensitive, private information. There are many techniques through which you can achieve data masking, to name few-Substitution, Shuffling, Encryption, Nulling out or deletion etc.

In this article, I’m proposing encryption technique in order to mask data of a selected column in a comma separated file.

Let us suppose, there is a file with Employees record containing employee’s sensitive data like SSN and you need to pass this info to your end party. You don’t want to expose this info in the target file , rather you would like to mask this data out. Wanna see how can this be done ?? Well, continue with reading…

Input data :

Input%20Data

I’ve captured my iFlow design below.

You may think that  single iFlow has both encryption and decryption right ?Hold on, the design will not mimic any real time scenario, I only have tried to give you an idea how this technique can be used to encrypt/decrypt to achieve data masking.

Encryption logic is written in groovy script which is being applied to selected xml node(converted CSV to XML ) in the message mapping. The script encrypts the data of that node and you are ready to pass the file in the format required by your end party.

Encryption Script:

import com.sap.it.api.ITApi
import com.sap.it.api.ITApiFactory
import com.sap.it.api.securestore.*;
import com.sap.it.api.keystore.*;
import com.sap.gateway.ip.core.customdev.util.Message;
import java.util.ArrayList
import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Base64;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import java.util.HashMap;
import javax.net.ssl.KeyManager;

def String Hashing(String arg1){
		def body = arg1;
		String password;      
	   
       def service = ITApiFactory.getApi(SecureStoreService.class, null);
       def credential = service.getUserCredential("Security_Material"); 
        if (credential == null)
        { throw new IllegalStateException("No credential found for alias 'Security_Material'");             
        }
        else{
            password= new String(credential.getPassword());
            }
	   key = password.getBytes("UTF-8");
       sha = MessageDigest.getInstance("SHA-1");
       key = sha.digest(key);
       key = Arrays.copyOf(key, 16);
       secretKey = new SecretKeySpec(key, "AES");
				
	   Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
       cipher.init(Cipher.ENCRYPT_MODE, secretKey);
       def encryptedData =  Base64.getEncoder().encodeToString(cipher.doFinal(body.getBytes("UTF-8")));
	   
	return encryptedData; 
}

Are you searching for the KEY in the script that is doing the encryption? You can’t find that within the script.

Yeah, I’ve stored the key in Security Material and accessing it while calling the encryption. This is to restrict visibility of the key at script/iFlow level.

If you wan to decrypt the file for any purpose at anytime, you can do that as well…

 

Decryption Script:

import com.sap.it.api.ITApi
import com.sap.it.api.ITApiFactory
import com.sap.it.api.securestore.*;
import com.sap.it.api.keystore.*;
import com.sap.gateway.ip.core.customdev.util.Message;
import java.util.ArrayList
import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Base64;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import java.util.HashMap;
import javax.net.ssl.KeyManager;

def String Decrypt(String arg1){
	   def body = arg1;
       String password;
	   def service = ITApiFactory.getApi(SecureStoreService.class, null);
       def credential = service.getUserCredential("Security_Material"); 
        if (credential == null)
        { throw new IllegalStateException("No credential found for alias 'Security_Material'");             
        }
        else{
            password= new String(credential.getPassword());
            }
		key = password.getBytes("UTF-8");
        sha = MessageDigest.getInstance("SHA-1");
        key = sha.digest(key);
        key = Arrays.copyOf(key, 16);
        secretKey = new SecretKeySpec(key, "AES");	
		
		Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");				                
		cipher.init(Cipher.DECRYPT_MODE, secretKey);
        def decryptedData =  new String (cipher.doFinal(Base64.getDecoder().decode(body)));	
		
	return decryptedData; 
}

 

Special Note: Please remove unwanted/unused import statements from the script 😉

I’ve captured the payload to show the output.

 

 

You may try with different encryption/decryption algorithm or changing the key length or other parameters in script and find out the difference.

Was it helpful? Let me know 😊

 

!!!!! HaPpY LeArNiNg !!!!!

Sathya

 

 

 

 

 

3 Comments
You must be Logged on to comment or reply to a post.