Forum Discussion
Kevin_Stewart
Employee
EmployeeAES functions
Hello Devcentral gurus,
Does anyone know the specifics of the AES functions and how they work. Specifically, look at the following code snippet:
set testkey "test"
set testdat...
hoolio
Cirrostratus
CirrostratusI think that the key you're testing with is invalid. For 128 bit encryption you need to use a key with 32 hexidecimal characters (Click here)
The AES key portion is composed of a number of characters specific to the bit value. The characters must be within the following hexadecimal range:
0123456789ABCDEF
The AES key must also contain the following number of characters to fulfill the bit requirement:
Note: One character is composed of 4 bits.
Bit Strength Number of Characters Required
128 32
192 48
256 64
Here is some sample code to test the key creation and encrypting/decrypting test strings:
when RULE_INIT {
Check if $::key is already defined and has a length
if {[info exists ::key] and [string length $::key]}{
log local0. "using existing AES key: $::key"
} else {
The key didn't exist, so create a new 128 bit key
set ::key [AES::key 128]
}
The key is actually a list of three elements: "AES" "key" "key_string"
log local0. "list length of key: [llength $::key]"
Test the encryption of a string, encoding it with base64 encoding, decode it and decrypt it.
This verifies that the current version of software isn't susceptible to CR68290 / SOL7603.
log local0. "Encrypt & encode test: [AES::decrypt $::key [b64decode [b64encode [AES::encrypt $::key "This should be logged in clear text"]]]]"
Encrypt and encode a few test strings. The first two test strings are the same and result in the same encrypted/encoded string.
set ::b64_encoded_encrypted_string_1 [b64encode [AES::encrypt $::key "test1"]]
log local0. "\$::b64_encoded_encrypted_string_1: $::b64_encoded_encrypted_string_1"
set ::b64_encoded_encrypted_string_2 [b64encode [AES::encrypt $::key "test1"]]
log local0. "\$::b64_encoded_encrypted_string_2: $::b64_encoded_encrypted_string_2"
set ::b64_encoded_encrypted_string_3 [b64encode [AES::encrypt $::key "test3"]]
log local0. "\$::b64_encoded_encrypted_string_3: $::b64_encoded_encrypted_string_3"
Decrypt the test strings
set ::decrypted_1 [AES::decrypt $::key [b64decode $::b64_encoded_encrypted_string_1]]
log local0. "\$::decrypted_1: $::decrypted_1"
set ::decrypted_2 [AES::decrypt $::key [b64decode $::b64_encoded_encrypted_string_2]]
log local0. "\$::decrypted_2: $::decrypted_2"
set ::decrypted_3 [AES::decrypt $::key [b64decode $::b64_encoded_encrypted_string_3]]
log local0. "\$::decrypted_3: $::decrypted_3"
}
Log output:
Rule : using existing AES key: AES 128 f97612f8dd24836405a9d9e7f69e7979
Rule : Encrypt & encode test: This should be logged in clear text
Rule : list length of key: 3
Rule : $::b64_encoded_encrypted_string_1: P+SosLjL2NO1+souRy3zi0g2d3BZkd5Ire8LNveJTaQ=
Rule : $::b64_encoded_encrypted_string_2: P+SosLjL2NO1+souRy3zi0g2d3BZkd5Ire8LNveJTaQ=
Rule : $::b64_encoded_encrypted_string_3: P+SosLjL2NO1+souRy3ziSVAl60N6ojmK181jqBzqEw=
Rule : $::decrypted_1: test1
Rule : $::decrypted_2: test1
Rule : $::decrypted_3: test3
If you're using the encrypted value in a cookie or in the URI, you should URI encode the output to conform to HTTP RFC's for character sets. You can use URI::encode and URI::decode to do this. Here is an example:
when RULE_INIT {
Cookie, which the application sets, to encrypt/decrypt
set ::cookie_name "test_cookie"
Log debug messages to /var/log/ltm? 1=yes, 0=no.
set ::cookie_debug 1
Check if $::key is already defined and has a length
if {[info exists ::key] and [string length $::key]}{
if {$::cookie_debug}{log local0. "Using existing AES key: $::key"}
} else {
The key didn't exist, so create a new 128 bit key
set ::key [AES::key 128]
if {$::cookie_debug}{log local0. "Created new AES key: $::key"}
}
}
when HTTP_REQUEST {
If the cookie exists with any value, for any requested object, try to decrypt it
if {[string length [HTTP::cookie value $::cookie_name]]}{
if {$::cookie_debug}{log local0. "Original error cookie value: [HTTP::cookie value $::cookie_name]"}
URI decode the value (catching any errors that occur when trying to URI decode the cookie value and save the output to cookie_uri_decoded)
if {not ([catch {URI::decode [HTTP::cookie value $::cookie_name]} cookie_uri_decoded])}{
Log that the cookie was URI decoded
if {$::cookie_debug}{log local0. "\$cookie_uri_decoded was set successfully"}
Decrypt the value
if {not ([catch {AES::decrypt $::aes_key $cookie_uri_decoded} cookie_decrypted])}{
Log the decrypted cookie value
if {$::cookie_debug}{log local0. "\$cookie_decrypted: $cookie_decrypted"}
} else {
if {$::cookie_debug}{log local0. "Couldn't decrypt cookie: [HTTP::cookie value $::cookie_name"}
}
} else {
if {$::cookie_debug}{log local0. "Couldn't URI decode cookie: [HTTP::cookie value $::cookie_name"}
}
}
}
when HTTP_RESPONSE {
Check if response contains an error cookie with a value
if {[string length [HTTP::cookie value $::cookie]] > 0}{
Log the original error cookie value from the app
if {$::cookie_debug}{log local0. "Response from app contained error cookie: [HTTP::cookie value $::cookie_name]"}
Encrypt the cookie value so the client can't change the value
HTTP::cookie value $::cookie_name [URI::encode [AES::encrypt $::aes_key [HTTP::cookie value $::cookie_name]]]
Log the encoded and encrypted error cookie value
if {$::cookie_debug}{log local0. "Encrypted error cookie to: [URI::encode [AES::encrypt $::aes_key [HTTP::cookie value $::cookie_name]]]"}
}
}
There is an existing function which you could also use to encrypt/decrypt a cookie value: HTTP::cookie encrypt. You can check the HTTP::cookie wiki page (Click here) for more detail.
Aaron
