CRYPTO::decrypt

Description

This iRules command decrypts data.

Syntax

CRYPTO::decrypt (('-padding'  (pkcs | oaep) )
    ('-alg' ENCRYPT_DECRYPT_ALG)
    ('-ctx' CONTEXT)
    ('-final')
    (('-key' | '-keyhex') KEY)
    (('-iv'  | '-ivhex') VECTOR))#
    (CRYPTO_DATA)?

CRYPTO::decrypt [-alg <>] [-ctx <> [-final]] [-key[hex] <>] [-iv[hex] <>] [<data>] [-padding <”pkcs” | “oeap”>]

  • decrypts data based on several parameters

    • alg - algorithm. ASCII string from a given list (see below) The spelling is lowercase and the iRule will fail for anything not in the list. In ctx mode, alg must be given in the first CRYPTO::command and cannot be modified.

    • ctx - context is the name of a Tcl variable and can only be generated from and used in CRYPTO commands. Notes:

      • Trying to get or set value for a ctx variable will fail.
      • When a CTX variable is first used in iRule, a tcl object will be generated from the given arguments (alg, key, iv, etc.).
      • A given CTX variable can only be used for one CRYPTO::<encrypt|decrypt|sign|verify|hash> command. An iRule CRYPTO:: command would fail if CTX is reused for different purpose. “–final” must be used for the last CRYPTO:: command for the same CTX variable to finish the CRYPTO:: command. After “-final” is used, the CTX variable will be freed and the same ctx variable name can be reused.
      • When a CTX variable already has a key and an IV value stored in it, the value can only be updated before CRYPTO command really starts, that is before any data is given. After the command starts and before it finishes, updating key or IV in CTX would fail.
    • key - key (binary data). Key length is determined by alg used. Can be generated by CRYPTO::keygen

    • keyhex - key as hex data. Key length is determined by alg used. Can be generated by CRYPTO::keygen

    • padding - padding technique for asymmetric encryption operations. The default value is “pkcs”.

      Introduced in v14.

    • iv - initialization vector (binary data). Length is determined by alg used. Can be generated by CRYPTO::keygen

    • ivhex - initialization vector as hex data. Length is determined by alg used. Can be generated by CRYPTO::keygen


Algorithm List

Algorithm Cipher Name Block Size (bits) Key Size (bits)
aes-128-mode AES-128 128 128
aes-192-mode AES-192 128 192
aes-256-mode AES-256 128 256
bf-mode Blowfish 64 variable, up to 448
des-mode DES 64 56
des-ede-mode DES (2 key) 64 112
des-ede3-mode DES (3 key) 64 168
dea-mode IDEA 64 128
rc2-mode RC2 64 variable, 40 to 128
rc4 RC4 (stream cipher) N/A variable, up to 2048
rsa-priv RSA N/A variable, 1024 to 8192
rsa-pub RSA N/A variable, 1024 to 8192

Warning

Cryptography is very difficult to get correct. It is easy to create a system that looks secure but isn’t. The CRYPTO::encrypt and CRYPTO::decrypt commands were designed to provide interoperability between BIG-IP and 3rd-party software using common cipher algorithms (AES, Blowfish, DES, etc.).
The CRYPTO:: commands should not be used in an attempt to replace transport security protocols such as SSL for providing secure communication between devices. It is the responsibility of the iRule designer(s) to manage any compositional weaknesses in systems created using the CRYPTO:: commands.

Examples

when HTTP_REQUEST {
    set keys [CRYPTO::keygen -alg rsa -salthex 0f0f0f0f0f0f0f0f0f0f -len 1024]
    set pub_rsakey [lindex $keys 0]
    set priv_rsakey [lindex $keys 1]
    set data [string repeat "rsakeygen1" 11]
    set enc_data [CRYPTO::encrypt -alg rsa-pub -key $pub_rsakey $data]
    log "enc_data: [b64encode $enc_data]"
    HTTP::header insert rsa_encrypted "$enc_data"
    set dec_data [CRYPTO::decrypt -alg rsa-priv -key $priv_rsakey $enc_data]
    log "dec_data: $dec_data"
    HTTP::header insert rsa_decrypted "$dec_data"
}

Padding example
when HTTP_REQUEST {
    set privatekey {
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAoZMBs9OxHPXfqa6eadOS4ZCUxRF2wzJxnlwLEfpmKintMF67
Gk4+gWRpf04NSoru0LZoIPh56PauxwsCz55zC+CJFDh/Zs7fOYoDz3uRVXjThEss
yZDAXTPqfrsjhQBQalcextWNnmGWbLKrAL6d7mtUzi8dtAJGPd/LtZIDIznLPy1i
Czndw3wYvK7N8wB1yWYyTcEx6WQ5SY6Q6/1ngFwNVkNTfgF3bJwfKMbTQzy/2OrZ
7Fm2RPqP63C+nSWSjrbY6Mz2mJuRbxE0//tkdY0ntlhJVyVNhOSRdpnw6rO4QkSu
AGN5wBlTbMoflxVBbK54ncR/JWjQ5o0MlJ9oFQIDAQABAoIBABfy5EO1UwFJ6HcM
LOres1y/w21aY1IXfgPM/M8TYGVLhZ6vy+fgRR+EtKZr+UhdQ3yoLNMGQXuoZMuX
9Di18bOG+oqGvUuNykSLEnmEhUw39pIbWm4eCIVIFq/mKSOjokfA1gz+xlj9egBu
ky4vEtWuDwnorexqkeLF8znchJ6JzCC0eHGknCbyMvuUAV5wdK0SevuMJszXNxzI
uvE2JiPFtpN49DDpWBh5SfSK8B22NlhID114/AJU2/qXC0zkRvaPhnVFvQSMBf/M
HkrLMwLHvAWJg9LbxoB09Pu5OpsWmdiLEhJls2AcoDxsddDRpySnTXClTE+oaMnQ
WiWYBwECgYEA0/eNBqsoKwnFkvHljSp9rsGe2hRLkXr3UnbwAkGQwRapLDamTluJ
3sb7rm3i6uCeCMzKAyY88r+geLtwdeaDAB1toEd5kIiSQ0lzzEMYLiebxHhzLNXW
y1ERSvxVWYTQ8q5hivC44V4wLcWcoHtf0K4hF8D1JvDAeGtKsl1UL2ECgYEAwyOP
CeL3dIrYyMoFrvuWxuJ76zmI9g4F6Z3CCV7Cr4iJVjVJ20naFHYnTq97Xx4yc9UX
TugL9rfFIZXbjMKp2XhWAJTGtwOEalmiTv4ZnIE1JfZUmrrEsg3+4Qzyduv+k6Iz
E/K8apWrXWPMnSuj8Uopmcm13JTh4/CAz87FOTUCgYAlJWPMgGAosqyyJLwisgiW
gI3zD81ycEc5Z2iGLLFOdUcuXWFlp/sQVHS0y8MRgE2RoznftWrG67gWkFqT/tKE
SaP1i7ENGDHxosStTjDFneFZW/ZrLApZVRqftnrKllD7xn2HmMn9jMEKtG/PW++d
pXZdME6GBXjlYYAUo/Bl4QKBgEs3MJJB/tnYDvlODWTGKvbcI6GmWqlk/Fhw63LL
KMWaHj2xapdw3vNWG46Tyzz9mbrWHxbWEI53hS+N4MNf4TIm1ReCQRoX6/lGNW63
OM3/a6oHSdMePGTZSi4a3HaEPmtPcNq2jHOU3ymvJxZJ1PZTfLd/bW7poCxI7o2r
CJAlAoGBAMWHRmPTvVNTXi39tZN7PbxN8OM+WMmPGRNr/Ue/tTLvqBgzPdsUkkfy
7vPLBYGu4WdiNXf9AmEJh6GZ+N+nexhn4ndIQb3DPi3a/ICfkoTFqaGSjt2E+mte
lk/tfyWIJH67j+L6pRHdyjfe5/MhMQY+MvS07IsJH3xMIKVO+iHp
-----END RSA PRIVATE KEY-----
}
    set publickey {
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoZMBs9OxHPXfqa6eadOS
4ZCUxRF2wzJxnlwLEfpmKintMF67Gk4+gWRpf04NSoru0LZoIPh56PauxwsCz55z
C+CJFDh/Zs7fOYoDz3uRVXjThEssyZDAXTPqfrsjhQBQalcextWNnmGWbLKrAL6d
7mtUzi8dtAJGPd/LtZIDIznLPy1iCzndw3wYvK7N8wB1yWYyTcEx6WQ5SY6Q6/1n
gFwNVkNTfgF3bJwfKMbTQzy/2OrZ7Fm2RPqP63C+nSWSjrbY6Mz2mJuRbxE0//tk
dY0ntlhJVyVNhOSRdpnw6rO4QkSuAGN5wBlTbMoflxVBbK54ncR/JWjQ5o0MlJ9o
FQIDAQAB
-----END PUBLIC KEY-----
}
    set indata "this is"
    set cryptdata [CRYPTO::encrypt -alg rsa-pub -padding oaep -key $publickey $indata]
    set outdata   [CRYPTO::decrypt -alg rsa-priv -padding oaep -key $privatekey $cryptdata]
    log local0. "outdata=$outdata"
}