[SalesForce] Encrypt unique ID in URL to Marketing Cloud Custom Preference Center Page from SF Commerce Cloud

I have a marketing cloud custom preference center cloud page posting and retrieving information directly from Sales Cloud based on Contact ID.
The page is accessible only via email. But we would like to include the page url in Salesforce commerce cloud and pass the contacts unique id via the url parameter. The problem is that we want the parameter to be encrypted and then de-crypted by marketing cloud via ampscript.

My understanding is that commerce cloud is able to encrypt values: https://documentation.b2c.commercecloud.salesforce.com/DOC1/index.jsp?topic=%2Fcom.demandware.dochelp%2FDWAPI%2Fscriptapi%2Fhtml%2Fapi%2Fclass_dw_crypto_Cipher.html&cp=0_16_2_5_1

but marketing cloud cannot de-crypt anything that is not stored in the platform?
https://developer.salesforce.com/docs/atlas.en-us.noversion.mc-programmatic-content.meta/mc-programmatic-content/DecryptSymmetric.htm

You can only use the EncryptSymmetric() and DecryptSymmetric()
AMPscript function on data contained within Marketing Cloud. Marketing
Cloud does not support the use of these functions in conjunction with
outside or third-party encryption and decryption functionality.

Is there an alternative?

Best Answer

Unfortunately these are the only encryption functions available out of the box. The statement about the ability to use it with en-/decryption outside of Marketing Cloud is to some extent also true. This is due to these functions being implemented slightly different to most programming languages and libraries.

However, there is one option that is known to work with certain other programming languages' en-/decryption methods. This is if you use "DES-ECB". Unfortunately the block cipher mode "ECB" can be considered less safe if you have have a lot of sample data or a lot of similar data. This is due to the fact, that there is no diffusion and the same plaintext blocks always result in the same encrypted blocks.

So to summarize, you can use marketing cloud encryption with other systems, but the block cipher mode is less safe than for the others. If you nonetheless decide to use this, the algorithm and mode you need to supply to the EncryptSymmetric and DecryptSymmetric function is "des;mode=ecb;padding=zeros".

Example encryption in PHP:

$encrypted_string = openssl_encrypt($string, "DES-ECB", $key, 0);

Example decryption in AMPscript:

SET @result =  DecryptSymmetric(@encryptedString, "des;mode=ecb;padding=zeros", @null, @key, @null, @null, @null, @null)

This solution should also be compatible with Commerce Cloud according to the documentation you provided:

This class allows access to encryption services offered through the Java Cryptography Architecture (JCA). At this time the implementation of the encryption/decryption methods is based on the default JCE provider of the JDK. See the Java documentation for a reference guide to the underlying security provider and information about the Secure Sockets Extension.

(Source: Salesforce B2C Commerce - Class Cipher)

I also checked the Oracle documentation, which says that DES is available (Oracle JCE Provider).

Related Topic