CRYPTO::encrypt

Description

This iRules command encrypts data. A ciphertext encrypted with this command should be decryptable by third party software.

Syntax

CRYPTO::encrypt (('-padding'  (pkcs | oaep) )
    ('-alg' ENCRYPT_DECRYPT_ALG)
    ('-ctx' CONTEXT)
    ('-final')
    (('-key' | '-keyhex') KEY)
    (('-iv'  | '-ivhex') VECTOR))#
    (CRYPTO_DATA)?

CRYPTO::encrypt [-alg <>] [-ctx <> [-final]] [-key[hex] <>] [-iv[hex] <>] [<data>] [-padding <”pkcs” | “oaep”>]

  • encrypts data based on several parameters

    • alg - algorithm. ASCII string from a given list (see below) The spelling is lowercase and the iRule will fail for anything not in the list. In ctx mode, alg must be given in the first CRYPTO:: command and cannot be modified.

    • ctx - context is the name of a Tcl variable and can only be generated from and used in CRYPTO commands. Notes:

      • Trying to get or set value for a ctx variable will fail.
      • When a CTX variable is first used in iRule, a tcl object will be generated from the given arguments (alg, key, iv, etc.).
      • A given CTX variable can only be used for one CRYPTO::<encrypt|decrypt|sign|verify|hash> command. An iRule CRYPTO:: command would fail if CTX is reused for different purpose. “–final” must be used for the last CRYPTO:: command for the same CTX variable to finish the CRYPTO:: command. After “-final” is used, the CTX variable will be freed and the same ctx variable name can be reused.
      • When a CTX variable already has a key and an IV value stored in it, the value can only be updated before CRYPTO command really starts, that is before any data is given. After the command starts and before it finishes, updating key or IV in CTX would fail.
    • key - key (binary data). Key length is determined by alg used. Can be generated by CRYPTO::keygen

    • keyhex - key as hex data. Key length is determined by alg used. Can be generated by CRYPTO::keygen

    • padding - padding technique for asymmetric encryption operations. The default value is “pkcs”.

      Introduced in v14.

    • iv - initialization vector (binary data). Length is determined by alg used. Can be generated by CRYPTO::keygen

    • ivhex - initialization vector as hex data. Length is determined by alg used. Can be generated by CRYPTO::keygen


Algorithm List

Algorithm Cipher Name Block Size (bits) Key Size (bits) Modes
aes-128-mode AES-128 128 128 cbc,cfb,cwc,ecb,ofb
aes-192-mode AES-192 128 192 cbc,cfb,cwc,ecb,ofb
aes-256-mode AES-256 128 256 cbc,cfb,cwc,ecb,ofb
bf-mode Blowfish 64 variable, up to 448 cbc,cfb,ecb,ofb
des-mode DES 64 56 cbc,cfb,ecb,ofb
des-ede-mode DES (2 key) 64 112 cbc,cfb,ecb,ofb
des-ede3-mode DES (3 key) 64 168 cbc,cfb,ecb,ofb
dea-mode IDEA 64 128  
rc2-mode RC2 64 variable, 40 to 128  
rc4 RC4 (stream cipher) N/A variable, up to 2048  
rsa-priv RSA N/A variable, 1024 to 8192  
rsa-pub RSA N/A variable, 1024 to 8192  

Warning

Cryptography is very difficult to get correct. It is easy to create a system that looks secure but isn’t. The CRYPTO::encrypt and CRYPTO::decrypt commands were designed to** **provide interoperability between BIG-IP and 3rd-party software using common cipher algorithms (AES, Blowfish, DES, etc.).
The CRYPTO:: commands should not be used in an attempt to replace transport security protocols such as SSL for providing secure communication between devices. It is the responsibility of the iRule designer(s) to manage any compositional weaknesses in systems created using the CRYPTO:: commands.

Examples

Encrypt an MSISDN header
# Encrypt the MSISDN header for each request.
# The encryption is deliberately designed to be insecure;
# that is, the same MSISDN will always be encrypted to
# the same ciphertext. And since the IV will always be
# the same for each encryption, there's no need to send
# it out with the ciphertext.
#
when SIP_REQUEST {
    set key "abed1ddc04fbb05856bca4a0ca60f21e"
    set iv "d78d86d9084eb9239694c9a733904037"
    set enc_msisdn [CRYPTO::encrypt -alg aes-128-cbc -keyhex $key -ivhex $iv [SIP::header "MSISDN"]]
    SIP::header remove "MSISDN"
    SIP::header insert "MSISDN" [b64encode $enc_msisdn]
}

when HTTP_REQUEST {
    set keys [CRYPTO::keygen -alg rsa -salthex 0f0f0f0f0f0f0f0f0f0f -len 1024]
    set pub_rsakey [lindex $keys 0]
    set priv_rsakey [lindex $keys 1]
    set data [string repeat "rsakeygen1" 11]
    set enc_data [CRYPTO::encrypt -alg rsa-pub -key $pub_rsakey $data]
    log "enc_data: [b64encode $enc_data]"
    HTTP::header insert rsa_encrypted "$enc_data"
    set dec_data [CRYPTO::decrypt -alg rsa-priv -key $priv_rsakey $enc_data]
    log "dec_data: $dec_data"
    HTTP::header insert rsa_decrypted "$dec_data"
}

Padding example
when HTTP_REQUEST {
    set privatekey {
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAoZMBs9OxHPXfqa6eadOS4ZCUxRF2wzJxnlwLEfpmKintMF67
Gk4+gWRpf04NSoru0LZoIPh56PauxwsCz55zC+CJFDh/Zs7fOYoDz3uRVXjThEss
yZDAXTPqfrsjhQBQalcextWNnmGWbLKrAL6d7mtUzi8dtAJGPd/LtZIDIznLPy1i
Czndw3wYvK7N8wB1yWYyTcEx6WQ5SY6Q6/1ngFwNVkNTfgF3bJwfKMbTQzy/2OrZ
7Fm2RPqP63C+nSWSjrbY6Mz2mJuRbxE0//tkdY0ntlhJVyVNhOSRdpnw6rO4QkSu
AGN5wBlTbMoflxVBbK54ncR/JWjQ5o0MlJ9oFQIDAQABAoIBABfy5EO1UwFJ6HcM
LOres1y/w21aY1IXfgPM/M8TYGVLhZ6vy+fgRR+EtKZr+UhdQ3yoLNMGQXuoZMuX
9Di18bOG+oqGvUuNykSLEnmEhUw39pIbWm4eCIVIFq/mKSOjokfA1gz+xlj9egBu
ky4vEtWuDwnorexqkeLF8znchJ6JzCC0eHGknCbyMvuUAV5wdK0SevuMJszXNxzI
uvE2JiPFtpN49DDpWBh5SfSK8B22NlhID114/AJU2/qXC0zkRvaPhnVFvQSMBf/M
HkrLMwLHvAWJg9LbxoB09Pu5OpsWmdiLEhJls2AcoDxsddDRpySnTXClTE+oaMnQ
WiWYBwECgYEA0/eNBqsoKwnFkvHljSp9rsGe2hRLkXr3UnbwAkGQwRapLDamTluJ
3sb7rm3i6uCeCMzKAyY88r+geLtwdeaDAB1toEd5kIiSQ0lzzEMYLiebxHhzLNXW
y1ERSvxVWYTQ8q5hivC44V4wLcWcoHtf0K4hF8D1JvDAeGtKsl1UL2ECgYEAwyOP
CeL3dIrYyMoFrvuWxuJ76zmI9g4F6Z3CCV7Cr4iJVjVJ20naFHYnTq97Xx4yc9UX
TugL9rfFIZXbjMKp2XhWAJTGtwOEalmiTv4ZnIE1JfZUmrrEsg3+4Qzyduv+k6Iz
E/K8apWrXWPMnSuj8Uopmcm13JTh4/CAz87FOTUCgYAlJWPMgGAosqyyJLwisgiW
gI3zD81ycEc5Z2iGLLFOdUcuXWFlp/sQVHS0y8MRgE2RoznftWrG67gWkFqT/tKE
SaP1i7ENGDHxosStTjDFneFZW/ZrLApZVRqftnrKllD7xn2HmMn9jMEKtG/PW++d
pXZdME6GBXjlYYAUo/Bl4QKBgEs3MJJB/tnYDvlODWTGKvbcI6GmWqlk/Fhw63LL
KMWaHj2xapdw3vNWG46Tyzz9mbrWHxbWEI53hS+N4MNf4TIm1ReCQRoX6/lGNW63
OM3/a6oHSdMePGTZSi4a3HaEPmtPcNq2jHOU3ymvJxZJ1PZTfLd/bW7poCxI7o2r
CJAlAoGBAMWHRmPTvVNTXi39tZN7PbxN8OM+WMmPGRNr/Ue/tTLvqBgzPdsUkkfy
7vPLBYGu4WdiNXf9AmEJh6GZ+N+nexhn4ndIQb3DPi3a/ICfkoTFqaGSjt2E+mte
lk/tfyWIJH67j+L6pRHdyjfe5/MhMQY+MvS07IsJH3xMIKVO+iHp
-----END RSA PRIVATE KEY-----
}
    set publickey {
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoZMBs9OxHPXfqa6eadOS
4ZCUxRF2wzJxnlwLEfpmKintMF67Gk4+gWRpf04NSoru0LZoIPh56PauxwsCz55z
C+CJFDh/Zs7fOYoDz3uRVXjThEssyZDAXTPqfrsjhQBQalcextWNnmGWbLKrAL6d
7mtUzi8dtAJGPd/LtZIDIznLPy1iCzndw3wYvK7N8wB1yWYyTcEx6WQ5SY6Q6/1n
gFwNVkNTfgF3bJwfKMbTQzy/2OrZ7Fm2RPqP63C+nSWSjrbY6Mz2mJuRbxE0//tk
dY0ntlhJVyVNhOSRdpnw6rO4QkSuAGN5wBlTbMoflxVBbK54ncR/JWjQ5o0MlJ9o
FQIDAQAB
-----END PUBLIC KEY-----
}
    set indata "this is"
    set cryptdata [CRYPTO::encrypt -alg rsa-pub -padding oaep -key $publickey $indata]
    set outdata   [CRYPTO::decrypt -alg rsa-priv -padding oaep -key $privatekey $cryptdata]
    log local0. "outdata=$outdata"
}