For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Posterus_85681's avatar
Posterus_85681
Icon for Nimbostratus rankNimbostratus
Mar 07, 2016

3DES encryption of text using iRule for custom URL/URI

We have a vendor that uses a custom URL/URI format to achieve SSO. The method they are wanting us to follow is below. Can this be done using F5 iRule and inbuilt commands? (I was thinking of using CR...
application delivery
BIG-IP Access Policy Manager (APM)
iRules
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Mar 07, 2016

Hi Posterus,

 

you may take a look to the sytax below. It should be a good startingpoint for you...

 

when RULE_INIT { 

     Keygen (Long Form)

    set static::shared_key "hello world"
    set static::shared_key_md5 [md5 $static::shared_key]
    binary scan $static::shared_key_md5 H* static::shared_key_md5_hex
    set static::shared_key_md5_hex_24 [string range $static::shared_key_md5_hex 0 23]
    set static::encryption_key [string tolower $static::shared_key_md5_hex_24]

    log local0.debug "Key: $static::encryption_key ([string length $static::encryption_key] chars)"

     Keygen (Short Form)

    set static::shared_key "hello world"
    binary scan [md5 $static::shared_key] H* static::shared_key_md5_hex
    set static::encryption_key [string tolower [string range $static::shared_key_md5_hex 0 23]]

    log local0.debug "Key: $static::encryption_key ([string length $static::encryption_key] chars)"

     Integration Code (move to HTTP_REQUEST etc.)

    set url_string_input "test"
    set url_string_output [URI::encode [b64encode [CRYPTO::encrypt -alg des-ede3-ecb -keyhex $static::encryption_key $url_string]]]

    log local0.debug "Input: $url_string_input Output: $url_string_output"

}

Note: Tell your vendor, its a bad choice to use 3DES in this way. Ask him to add some replay protection and well-known- / chosen-plaintext resilence... 😉

 

Cheers, Kai