CRYPTO::encrypt¶
Description¶
Syntax¶
CRYPTO::encrypt (('-padding' (pkcs | oaep) )
('-alg' ENCRYPT_DECRYPT_ALG)
('-ctx' CONTEXT)
('-final')
(('-key' | '-keyhex') KEY)
(('-iv' | '-ivhex') VECTOR))#
(CRYPTO_DATA)?
CRYPTO::encrypt [-alg <>] [-ctx <> [-final]] [-key[hex] <>] [-iv[hex] <>] [<data>] [-padding <”pkcs” | “oaep”>]¶
encrypts data based on several parameters
alg - algorithm. ASCII string from a given list (see below) The spelling is lowercase and the iRule will fail for anything not in the list. In ctx mode, alg must be given in the first CRYPTO:: command and cannot be modified.
ctx - context is the name of a Tcl variable and can only be generated from and used in CRYPTO commands. Notes:
- Trying to get or set value for a ctx variable will fail.
- When a CTX variable is first used in iRule, a tcl object will be generated from the given arguments (alg, key, iv, etc.).
- A given CTX variable can only be used for one CRYPTO::<encrypt|decrypt|sign|verify|hash> command. An iRule CRYPTO:: command would fail if CTX is reused for different purpose. “–final” must be used for the last CRYPTO:: command for the same CTX variable to finish the CRYPTO:: command. After “-final” is used, the CTX variable will be freed and the same ctx variable name can be reused.
- When a CTX variable already has a key and an IV value stored in it, the value can only be updated before CRYPTO command really starts, that is before any data is given. After the command starts and before it finishes, updating key or IV in CTX would fail.
key - key (binary data). Key length is determined by alg used. Can be generated by CRYPTO::keygen
keyhex - key as hex data. Key length is determined by alg used. Can be generated by CRYPTO::keygen
padding - padding technique for asymmetric encryption operations. The default value is “pkcs”.
Introduced in v14.
iv - initialization vector (binary data). Length is determined by alg used. Can be generated by CRYPTO::keygen
ivhex - initialization vector as hex data. Length is determined by alg used. Can be generated by CRYPTO::keygen
Algorithm List¶
Algorithm | Cipher Name | Block Size (bits) | Key Size (bits) | Modes |
---|---|---|---|---|
aes-128-mode | AES-128 | 128 | 128 | cbc,cfb,cwc,ecb,ofb |
aes-192-mode | AES-192 | 128 | 192 | cbc,cfb,cwc,ecb,ofb |
aes-256-mode | AES-256 | 128 | 256 | cbc,cfb,cwc,ecb,ofb |
bf-mode | Blowfish | 64 | variable, up to 448 | cbc,cfb,ecb,ofb |
des-mode | DES | 64 | 56 | cbc,cfb,ecb,ofb |
des-ede-mode | DES (2 key) | 64 | 112 | cbc,cfb,ecb,ofb |
des-ede3-mode | DES (3 key) | 64 | 168 | cbc,cfb,ecb,ofb |
dea-mode | IDEA | 64 | 128 | |
rc2-mode | RC2 | 64 | variable, 40 to 128 | |
rc4 | RC4 (stream cipher) | N/A | variable, up to 2048 | |
rsa-priv | RSA | N/A | variable, 1024 to 8192 | |
rsa-pub | RSA | N/A | variable, 1024 to 8192 |
Warning¶
Examples¶
# Encrypt the MSISDN header for each request.
# The encryption is deliberately designed to be insecure;
# that is, the same MSISDN will always be encrypted to
# the same ciphertext. And since the IV will always be
# the same for each encryption, there's no need to send
# it out with the ciphertext.
#
when SIP_REQUEST {
set key "abed1ddc04fbb05856bca4a0ca60f21e"
set iv "d78d86d9084eb9239694c9a733904037"
set enc_msisdn [CRYPTO::encrypt -alg aes-128-cbc -keyhex $key -ivhex $iv [SIP::header "MSISDN"]]
SIP::header remove "MSISDN"
SIP::header insert "MSISDN" [b64encode $enc_msisdn]
}
when HTTP_REQUEST {
set keys [CRYPTO::keygen -alg rsa -salthex 0f0f0f0f0f0f0f0f0f0f -len 1024]
set pub_rsakey [lindex $keys 0]
set priv_rsakey [lindex $keys 1]
set data [string repeat "rsakeygen1" 11]
set enc_data [CRYPTO::encrypt -alg rsa-pub -key $pub_rsakey $data]
log "enc_data: [b64encode $enc_data]"
HTTP::header insert rsa_encrypted "$enc_data"
set dec_data [CRYPTO::decrypt -alg rsa-priv -key $priv_rsakey $enc_data]
log "dec_data: $dec_data"
HTTP::header insert rsa_decrypted "$dec_data"
}
when HTTP_REQUEST {
set privatekey {
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAoZMBs9OxHPXfqa6eadOS4ZCUxRF2wzJxnlwLEfpmKintMF67
Gk4+gWRpf04NSoru0LZoIPh56PauxwsCz55zC+CJFDh/Zs7fOYoDz3uRVXjThEss
yZDAXTPqfrsjhQBQalcextWNnmGWbLKrAL6d7mtUzi8dtAJGPd/LtZIDIznLPy1i
Czndw3wYvK7N8wB1yWYyTcEx6WQ5SY6Q6/1ngFwNVkNTfgF3bJwfKMbTQzy/2OrZ
7Fm2RPqP63C+nSWSjrbY6Mz2mJuRbxE0//tkdY0ntlhJVyVNhOSRdpnw6rO4QkSu
AGN5wBlTbMoflxVBbK54ncR/JWjQ5o0MlJ9oFQIDAQABAoIBABfy5EO1UwFJ6HcM
LOres1y/w21aY1IXfgPM/M8TYGVLhZ6vy+fgRR+EtKZr+UhdQ3yoLNMGQXuoZMuX
9Di18bOG+oqGvUuNykSLEnmEhUw39pIbWm4eCIVIFq/mKSOjokfA1gz+xlj9egBu
ky4vEtWuDwnorexqkeLF8znchJ6JzCC0eHGknCbyMvuUAV5wdK0SevuMJszXNxzI
uvE2JiPFtpN49DDpWBh5SfSK8B22NlhID114/AJU2/qXC0zkRvaPhnVFvQSMBf/M
HkrLMwLHvAWJg9LbxoB09Pu5OpsWmdiLEhJls2AcoDxsddDRpySnTXClTE+oaMnQ
WiWYBwECgYEA0/eNBqsoKwnFkvHljSp9rsGe2hRLkXr3UnbwAkGQwRapLDamTluJ
3sb7rm3i6uCeCMzKAyY88r+geLtwdeaDAB1toEd5kIiSQ0lzzEMYLiebxHhzLNXW
y1ERSvxVWYTQ8q5hivC44V4wLcWcoHtf0K4hF8D1JvDAeGtKsl1UL2ECgYEAwyOP
CeL3dIrYyMoFrvuWxuJ76zmI9g4F6Z3CCV7Cr4iJVjVJ20naFHYnTq97Xx4yc9UX
TugL9rfFIZXbjMKp2XhWAJTGtwOEalmiTv4ZnIE1JfZUmrrEsg3+4Qzyduv+k6Iz
E/K8apWrXWPMnSuj8Uopmcm13JTh4/CAz87FOTUCgYAlJWPMgGAosqyyJLwisgiW
gI3zD81ycEc5Z2iGLLFOdUcuXWFlp/sQVHS0y8MRgE2RoznftWrG67gWkFqT/tKE
SaP1i7ENGDHxosStTjDFneFZW/ZrLApZVRqftnrKllD7xn2HmMn9jMEKtG/PW++d
pXZdME6GBXjlYYAUo/Bl4QKBgEs3MJJB/tnYDvlODWTGKvbcI6GmWqlk/Fhw63LL
KMWaHj2xapdw3vNWG46Tyzz9mbrWHxbWEI53hS+N4MNf4TIm1ReCQRoX6/lGNW63
OM3/a6oHSdMePGTZSi4a3HaEPmtPcNq2jHOU3ymvJxZJ1PZTfLd/bW7poCxI7o2r
CJAlAoGBAMWHRmPTvVNTXi39tZN7PbxN8OM+WMmPGRNr/Ue/tTLvqBgzPdsUkkfy
7vPLBYGu4WdiNXf9AmEJh6GZ+N+nexhn4ndIQb3DPi3a/ICfkoTFqaGSjt2E+mte
lk/tfyWIJH67j+L6pRHdyjfe5/MhMQY+MvS07IsJH3xMIKVO+iHp
-----END RSA PRIVATE KEY-----
}
set publickey {
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoZMBs9OxHPXfqa6eadOS
4ZCUxRF2wzJxnlwLEfpmKintMF67Gk4+gWRpf04NSoru0LZoIPh56PauxwsCz55z
C+CJFDh/Zs7fOYoDz3uRVXjThEssyZDAXTPqfrsjhQBQalcextWNnmGWbLKrAL6d
7mtUzi8dtAJGPd/LtZIDIznLPy1iCzndw3wYvK7N8wB1yWYyTcEx6WQ5SY6Q6/1n
gFwNVkNTfgF3bJwfKMbTQzy/2OrZ7Fm2RPqP63C+nSWSjrbY6Mz2mJuRbxE0//tk
dY0ntlhJVyVNhOSRdpnw6rO4QkSuAGN5wBlTbMoflxVBbK54ncR/JWjQ5o0MlJ9o
FQIDAQAB
-----END PUBLIC KEY-----
}
set indata "this is"
set cryptdata [CRYPTO::encrypt -alg rsa-pub -padding oaep -key $publickey $indata]
set outdata [CRYPTO::decrypt -alg rsa-priv -padding oaep -key $privatekey $cryptdata]
log local0. "outdata=$outdata"
}