ltm rule command CRYPTO encrypt
iRule(1) BIG-IP TMSH Manual iRule(1)
CRYPTO::encrypt
Encrypts data.
SYNOPSIS
CRYPTO::encrypt (('-padding' (pkcs | oaep) )
('-alg' ENCRYPT_DECRYPT_ALG)
('-ctx' CONTEXT)
('-final')
(('-key' | '-keyhex') KEY)
(('-iv' | '-ivhex') VECTOR)
)#
(CRYPTO_DATA)?
DESCRIPTION
This iRules command encrypts data. A ciphertext encrypted with this
command should be decryptable by third party software.
CRYPTO::encrypt [-alg <>] [-ctx <> [-final]] [-key[hex] <>] [-iv[hex]
<>] []
[-padding <"pkcs" | "oaep">]
* encrypts data based on several parameters
+ alg - algorithm. ASCII string from a given list (see below)
The spelling is lowercase and the iRule will fail for anything
not in the list. In ctx mode, alg must be given in the first
CRYPTO:: command and cannot be modified.
+ ctx - context is the name of a Tcl variable and can only be
generated from and used in CRYPTO commands. Notes:
o Trying to get or set value for a ctx variable will fail.
o When a CTX variable is first used in iRule, a tcl object
will be generated from the given arguments (alg, key, iv,
etc.).
o A given CTX variable can only be used for one
CRYPTO:: command. An
iRule CRYPTO:: command would fail if CTX is reused for
different purpose. "aXXfinal" must be used for the last
CRYPTO:: command for the same CTX variable to finish the
CRYPTO:: command. After "-final" is used, the CTX
variable will be freed and the same ctx variable name can
be reused.
o When a CTX variable already has a key and an IV value
stored in it, the value can only be updated before CRYPTO
command really starts, that is before any data is given.
After the command starts and before it finishes, updating
key or IV in CTX would fail.
+ key - key (binary data). Key length is determined by alg used.
Can be generated by CRYPTO::keygen
+ keyhex - key as hex data. Key length is determined by alg
used. Can be generated by CRYPTO::keygen
+ padding - padding technique for asymmetric encryption operations.
The default value is "pkcs".
+ iv - initialization vector (binary data). Length is determined
by alg used. Can be generated by CRYPTO::keygen
+ ivhex - initialization vector as hex data. Length is
determined by alg used. Can be generated by CRYPTO::keygen
Algorithm List
Algorithm Cipher Name Block Size (bits) Key Size (bits) Modes
aes-128-mode AES-128 128 128 cbc,cfb,cwc,ecb,ofb
aes-192-mode AES-192 128 192 cbc,cfb,cwc,ecb,ofb
aes-256-mode AES-256 128 256 cbc,cfb,cwc,ecb,ofb
bf-mode Blowfish 64 variable, up to 448 cbc,cfb,ecb,ofb
des-mode DES 64 56 cbc,cfb,ecb,ofb
des-ede-mode DES (2 key) 64 112 cbc,cfb,ecb,ofb
des-ede3-mode DES (3 key) 64 168 cbc,cfb,ecb,ofb
dea-mode IDEA 64 128
rc2-mode RC2 64 variable, 40 to 128
rc4 RC4 (stream cipher) N/A variable, up to 2048
Warning
Cryptography is very difficult to get correct. It is easy to create a
system that looks secure but isn't. The CRYPTO::encrypt and
CRYPTO::decrypt commands were designed to provide interoperability
between BIG-IP and 3rd-party software using common cipher algorithms
(AES, Blowfish, DES, etc.).
The CRYPTO:: commands should not be used in an attempt to replace
transport security protocols such as SSL for providing secure
communication between devices. It is the responsibility of the iRule
designer(s) to manage any compositional weaknesses in systems created
using the CRYPTO:: commands.
RETURN VALUE
VALID DURING
EXAMPLES
Encrypt an MSISDN header
# Encrypt the MSISDN header for each request.
# The encryption is deliberately designed to be insecure;
# that is, the same MSISDN will always be encrypted to
# the same ciphertext. And since the IV will always be
# the same for each encryption, there's no need to send
# it out with the ciphertext.
#
when SIP_REQUEST {
set key "abed1ddc04fbb05856bca4a0ca60f21e"
set iv "d78d86d9084eb9239694c9a733904037"
set enc_msisdn [CRYPTO::encrypt -alg aes-128-cbc -keyhex $key -ivhex $iv [SIP::header "MSISDN"]]
SIP::header remove "MSISDN"
SIP::header insert "MSISDN" [b64encode $enc_msisdn]
}
HINTS
SEE ALSO
CHANGE LOG
@BIGIP-11.1.0 --First introduced the command.
BIG-IP 2017-01-31 iRule(1)