For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Posterus_85681's avatar
Posterus_85681
Icon for Nimbostratus rankNimbostratus
Mar 07, 2016

3DES encryption of text using iRule for custom URL/URI

We have a vendor that uses a custom URL/URI format to achieve SSO. The method they are wanting us to follow is below. Can this be done using F5 iRule and inbuilt commands? (I was thinking of using CRYPTO::encrypt but not sure if that will be correct)

 

The shared passphrase is used specifically to generate the key used by the DESEDE encryption algorithm.To generate the key, use the output of the hash function using the shared passphrase as the input parameter as below.

 

  • Generate MD5 hash of passphrase – produces 16 byte array
  • Convert the resultant MD5 hash byte array to a hex string in lower case – produces a 32 byte string
  • Use the first 24 bytes of the hex string as the key for the DESEDE encryption algorithm
  • Encrypt the URL string using the key generated above with a DESEDE cipher using ECB/PKCS5 padding. The encrypted result is a byte array
  • The byte array above is base64 encoded and converted to a string with UTF-8 encoding
  • The string is then URL encoded to form the final output string
  • ASCII device control characters (e.g. null characters (%00), line feed (%0A), carriage return (%0D)) should NOT be in the encrypted string
application delivery
BIG-IP Access Policy Manager (APM)
iRules

1 Reply

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Mar 07, 2016

    Hi Posterus,

     

    you may take a look to the sytax below. It should be a good startingpoint for you...

     

    when RULE_INIT { 

     Keygen (Long Form)

    set static::shared_key "hello world"
    set static::shared_key_md5 [md5 $static::shared_key]
    binary scan $static::shared_key_md5 H* static::shared_key_md5_hex
    set static::shared_key_md5_hex_24 [string range $static::shared_key_md5_hex 0 23]
    set static::encryption_key [string tolower $static::shared_key_md5_hex_24]

    log local0.debug "Key: $static::encryption_key ([string length $static::encryption_key] chars)"

     Keygen (Short Form)

    set static::shared_key "hello world"
    binary scan [md5 $static::shared_key] H* static::shared_key_md5_hex
    set static::encryption_key [string tolower [string range $static::shared_key_md5_hex 0 23]]

    log local0.debug "Key: $static::encryption_key ([string length $static::encryption_key] chars)"

     Integration Code (move to HTTP_REQUEST etc.)

    set url_string_input "test"
    set url_string_output [URI::encode [b64encode [CRYPTO::encrypt -alg des-ede3-ecb -keyhex $static::encryption_key $url_string]]]

    log local0.debug "Input: $url_string_input Output: $url_string_output"

}

    Note: Tell your vendor, its a bad choice to use 3DES in this way. Ask him to add some replay protection and well-known- / chosen-plaintext resilence... 😉

     

    Cheers, Kai