CRYPTO::encrypt

Description¶

This iRules command encrypts data. A ciphertext encrypted with this command should be decryptable by third party software.

Syntax¶

CRYPTO::encrypt (('-padding'  (pkcs | oaep) )
    ('-alg' ENCRYPT_DECRYPT_ALG)
    ('-ctx' CONTEXT)
    ('-final')
    (('-key' | '-keyhex') KEY)
    (('-iv'  | '-ivhex') VECTOR))#
    (CRYPTO_DATA)?

CRYPTO::encrypt [-alg <>] [-ctx <> [-final]] [-key[hex] <>] [-iv[hex] <>] [<data>] [-padding <”pkcs” | “oaep”>]¶

encrypts data based on several parameters
- alg - algorithm. ASCII string from a given list (see below) The spelling is lowercase and the iRule will fail for anything not in the list. In ctx mode, alg must be given in the first CRYPTO:: command and cannot be modified.
- ctx - context is the name of a Tcl variable and can only be generated from and used in CRYPTO commands. Notes:
  - Trying to get or set value for a ctx variable will fail.
  - When a CTX variable is first used in iRule, a tcl object will be generated from the given arguments (alg, key, iv, etc.).
  - A given CTX variable can only be used for one CRYPTO::<encrypt|decrypt|sign|verify|hash> command. An iRule CRYPTO:: command would fail if CTX is reused for different purpose. “–final” must be used for the last CRYPTO:: command for the same CTX variable to finish the CRYPTO:: command. After “-final” is used, the CTX variable will be freed and the same ctx variable name can be reused.
  - When a CTX variable already has a key and an IV value stored in it, the value can only be updated before CRYPTO command really starts, that is before any data is given. After the command starts and before it finishes, updating key or IV in CTX would fail.
- key - key (binary data). Key length is determined by alg used. Can be generated by CRYPTO::keygen
- keyhex - key as hex data. Key length is determined by alg used. Can be generated by CRYPTO::keygen
- padding - padding technique for asymmetric encryption operations. The default value is “pkcs”.
  
  Introduced in v14.
- iv - initialization vector (binary data). Length is determined by alg used. Can be generated by CRYPTO::keygen
- ivhex - initialization vector as hex data. Length is determined by alg used. Can be generated by CRYPTO::keygen

Algorithm List¶

Algorithm	Cipher Name	Block Size (bits)	Key Size (bits)	Modes
aes-128-mode	AES-128	128	128	cbc,cfb,cwc,ecb,ofb
aes-192-mode	AES-192	128	192	cbc,cfb,cwc,ecb,ofb
aes-256-mode	AES-256	128	256	cbc,cfb,cwc,ecb,ofb
bf-mode	Blowfish	64	variable, up to 448	cbc,cfb,ecb,ofb
des-mode	DES	64	56	cbc,cfb,ecb,ofb
des-ede-mode	DES (2 key)	64	112	cbc,cfb,ecb,ofb
des-ede3-mode	DES (3 key)	64	168	cbc,cfb,ecb,ofb
dea-mode	IDEA	64	128
rc2-mode	RC2	64	variable, 40 to 128
rc4	RC4 (stream cipher)	N/A	variable, up to 2048
rsa-priv	RSA	N/A	variable, 1024 to 8192
rsa-pub	RSA	N/A	variable, 1024 to 8192

Warning¶

Cryptography is very difficult to get correct. It is easy to create a system that looks secure but isn’t. The CRYPTO::encrypt and CRYPTO::decrypt commands were designed to** **provide interoperability between BIG-IP and 3rd-party software using common cipher algorithms (AES, Blowfish, DES, etc.).

The CRYPTO:: commands should not be used in an attempt to replace transport security protocols such as SSL for providing secure communication between devices. It is the responsibility of the iRule designer(s) to manage any compositional weaknesses in systems created using the CRYPTO:: commands.

Examples¶

Encrypt an MSISDN header

# Encrypt the MSISDN header for each request.
# The encryption is deliberately designed to be insecure;
# that is, the same MSISDN will always be encrypted to
# the same ciphertext. And since the IV will always be
# the same for each encryption, there's no need to send
# it out with the ciphertext.
#
when SIP_REQUEST {
    set key "abed1ddc04fbb05856bca4a0ca60f21e"
    set iv "d78d86d9084eb9239694c9a733904037"
    set enc_msisdn [CRYPTO::encrypt -alg aes-128-cbc -keyhex $key -ivhex $iv [SIP::header "MSISDN"]]
    SIP::header remove "MSISDN"
    SIP::header insert "MSISDN" [b64encode $enc_msisdn]
}

when HTTP_REQUEST {
    set keys [CRYPTO::keygen -alg rsa -salthex 0f0f0f0f0f0f0f0f0f0f -len 1024]
    set pub_rsakey [lindex $keys 0]
    set priv_rsakey [lindex $keys 1]
    set data [string repeat "rsakeygen1" 11]
    set enc_data [CRYPTO::encrypt -alg rsa-pub -key $pub_rsakey $data]
    log "enc_data: [b64encode $enc_data]"
    HTTP::header insert rsa_encrypted "$enc_data"
    set dec_data [CRYPTO::decrypt -alg rsa-priv -key $priv_rsakey $enc_data]
    log "dec_data: $dec_data"
    HTTP::header insert rsa_decrypted "$dec_data"
}

Padding example

when HTTP_REQUEST {
    set privatekey {
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAoZMBs9OxHPXfqa6eadOS4ZCUxRF2wzJxnlwLEfpmKintMF67
Gk4+gWRpf04NSoru0LZoIPh56PauxwsCz55zC+CJFDh/Zs7fOYoDz3uRVXjThEss
yZDAXTPqfrsjhQBQalcextWNnmGWbLKrAL6d7mtUzi8dtAJGPd/LtZIDIznLPy1i
Czndw3wYvK7N8wB1yWYyTcEx6WQ5SY6Q6/1ngFwNVkNTfgF3bJwfKMbTQzy/2OrZ
7Fm2RPqP63C+nSWSjrbY6Mz2mJuRbxE0//tkdY0ntlhJVyVNhOSRdpnw6rO4QkSu
AGN5wBlTbMoflxVBbK54ncR/JWjQ5o0MlJ9oFQIDAQABAoIBABfy5EO1UwFJ6HcM
LOres1y/w21aY1IXfgPM/M8TYGVLhZ6vy+fgRR+EtKZr+UhdQ3yoLNMGQXuoZMuX
9Di18bOG+oqGvUuNykSLEnmEhUw39pIbWm4eCIVIFq/mKSOjokfA1gz+xlj9egBu
ky4vEtWuDwnorexqkeLF8znchJ6JzCC0eHGknCbyMvuUAV5wdK0SevuMJszXNxzI
uvE2JiPFtpN49DDpWBh5SfSK8B22NlhID114/AJU2/qXC0zkRvaPhnVFvQSMBf/M
HkrLMwLHvAWJg9LbxoB09Pu5OpsWmdiLEhJls2AcoDxsddDRpySnTXClTE+oaMnQ
WiWYBwECgYEA0/eNBqsoKwnFkvHljSp9rsGe2hRLkXr3UnbwAkGQwRapLDamTluJ
3sb7rm3i6uCeCMzKAyY88r+geLtwdeaDAB1toEd5kIiSQ0lzzEMYLiebxHhzLNXW
y1ERSvxVWYTQ8q5hivC44V4wLcWcoHtf0K4hF8D1JvDAeGtKsl1UL2ECgYEAwyOP
CeL3dIrYyMoFrvuWxuJ76zmI9g4F6Z3CCV7Cr4iJVjVJ20naFHYnTq97Xx4yc9UX
TugL9rfFIZXbjMKp2XhWAJTGtwOEalmiTv4ZnIE1JfZUmrrEsg3+4Qzyduv+k6Iz
E/K8apWrXWPMnSuj8Uopmcm13JTh4/CAz87FOTUCgYAlJWPMgGAosqyyJLwisgiW
gI3zD81ycEc5Z2iGLLFOdUcuXWFlp/sQVHS0y8MRgE2RoznftWrG67gWkFqT/tKE
SaP1i7ENGDHxosStTjDFneFZW/ZrLApZVRqftnrKllD7xn2HmMn9jMEKtG/PW++d
pXZdME6GBXjlYYAUo/Bl4QKBgEs3MJJB/tnYDvlODWTGKvbcI6GmWqlk/Fhw63LL
KMWaHj2xapdw3vNWG46Tyzz9mbrWHxbWEI53hS+N4MNf4TIm1ReCQRoX6/lGNW63
OM3/a6oHSdMePGTZSi4a3HaEPmtPcNq2jHOU3ymvJxZJ1PZTfLd/bW7poCxI7o2r
CJAlAoGBAMWHRmPTvVNTXi39tZN7PbxN8OM+WMmPGRNr/Ue/tTLvqBgzPdsUkkfy
7vPLBYGu4WdiNXf9AmEJh6GZ+N+nexhn4ndIQb3DPi3a/ICfkoTFqaGSjt2E+mte
lk/tfyWIJH67j+L6pRHdyjfe5/MhMQY+MvS07IsJH3xMIKVO+iHp
-----END RSA PRIVATE KEY-----
}
    set publickey {
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoZMBs9OxHPXfqa6eadOS
4ZCUxRF2wzJxnlwLEfpmKintMF67Gk4+gWRpf04NSoru0LZoIPh56PauxwsCz55z
C+CJFDh/Zs7fOYoDz3uRVXjThEssyZDAXTPqfrsjhQBQalcextWNnmGWbLKrAL6d
7mtUzi8dtAJGPd/LtZIDIznLPy1iCzndw3wYvK7N8wB1yWYyTcEx6WQ5SY6Q6/1n
gFwNVkNTfgF3bJwfKMbTQzy/2OrZ7Fm2RPqP63C+nSWSjrbY6Mz2mJuRbxE0//tk
dY0ntlhJVyVNhOSRdpnw6rO4QkSuAGN5wBlTbMoflxVBbK54ncR/JWjQ5o0MlJ9o
FQIDAQAB
-----END PUBLIC KEY-----
}
    set indata "this is"
    set cryptdata [CRYPTO::encrypt -alg rsa-pub -padding oaep -key $publickey $indata]
    set outdata   [CRYPTO::decrypt -alg rsa-priv -padding oaep -key $privatekey $cryptdata]
    log local0. "outdata=$outdata"
}

Related Information¶

Valid Events:

Warning

The links to the sample code below are remnants of the old DevCentral wiki and will result in a 404 error. For best results, please copy the link text and search the codeshare directly on DevCentral.

Sample Code:

Introduced: LTM-11.1.0

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.

CRYPTO::encrypt¶

Description¶

Syntax¶

CRYPTO::encrypt [-alg <>] [-ctx <> [-final]] [-key[hex] <>] [-iv[hex] <>] [<data>] [-padding <”pkcs” | “oaep”>]¶

Algorithm List¶

Warning¶

Examples¶

Related Information¶