For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Mar 14, 2008

AES functions

Hello Devcentral gurus,     Does anyone know the specifics of the AES functions and how they work. Specifically, look at the following code snippet:     set testkey "test"   set testdat...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Mar 17, 2008
Hi Kevin,

I'm not sure whether the encrypted string should always be the same if the source string is the same. I think the different outputs you're seeing could be tied to a salt or nonce, but I haven't delved into encryption enough to know.

Regardless of whether the encrypted value varies over time, I expect that every value would be decryptable using the key. Could you try decrypting the value on a subsequent request?

If I take the key you listed with the base64 encoded and encrypted strings you have, I get the correct decrypted values on a 9.4.3 unit:


when RULE_INIT {
   set ::key [list AES 128 eaa18b3c04c914f9e2fb8a6c9e479f4f]
   log local0. "list length of key: [llength $::key]"
   log local0. "\$::key: $::key"
   set ::b64_encoded_encrypted_string "TLkDvsXpttnYyJBMuQO+xem22djIkDLR5Xl32d9syl8l4t+LCI+WuG4VvVKQt/b4jSOtBA=="
   log local0. "\$::b64_encoded_encrypted_string: $::b64_encoded_encrypted_string"
   log local0. "Decrypted string: [AES::decrypt $::key [b64decode $::b64_encoded_encrypted_string]]"
   set ::b64_encoded_encrypted_string "hhNtFA/zVoJhJz6GE20UD/NWgmEnPof2Nalx2gy6lrsFUxRsiR+bA/ivrV+zjwANgc8Hrw=="
   log local0. "\$::b64_encoded_encrypted_string: $::b64_encoded_encrypted_string"
   log local0. "Decrypted string: [AES::decrypt $::key [b64decode $::b64_encoded_encrypted_string]]"
   set ::b64_encoded_encrypted_string "JzTGR0I2AL+G0dYnNMZHQjYAv4bR1mAUL1SMYguNEE29thMEzliMW74hgEFQ5iu5X9ctUw=="
   log local0. "\$::b64_encoded_encrypted_string: $::b64_encoded_encrypted_string"
   log local0. "Decrypted string: [AES::decrypt $::key [b64decode $::b64_encoded_encrypted_string]]"
}

Output:


 Rule : list length of key: 3
 Rule : adh $::key: AES 128 eaa18b3c04c914f9e2fb8a6c9e479f4f
 Rule : $::b64_encoded_encrypted_string: TLkDvsXpttnYyJBMuQO+xem22djIkDLR5Xl32d9syl8l4t+LCI+WuG4VvVKQt/b4jSOtBA==
 Rule : Decrypted string: This is a test
 Rule : $::b64_encoded_encrypted_string: hhNtFA/zVoJhJz6GE20UD/NWgmEnPof2Nalx2gy6lrsFUxRsiR+bA/ivrV+zjwANgc8Hrw==
 Rule : Decrypted string: This is a test
 Rule : $::b64_encoded_encrypted_string: JzTGR0I2AL+G0dYnNMZHQjYAv4bR1mAUL1SMYguNEE29thMEzliMW74hgEFQ5iu5X9ctUw==
 Rule : Decrypted string: This is a test

Also, the HTTP::cookie encrypt/decrypt functions do encrypt the cookie value using a passphrase sent to the client to prevent it from being tampered with. Either method should work for the scenario you describe.

Aaron