decrypting server cookie

We currently only support AES encryption for cookies.

Ok, thanks.

 

 

If the server sends an AES encrypted cookie, can I reference a private key from within the iRule to decrypt it?

 

 

thanks

 

/deb

Yes. But importing that key might be the tricky part. I would suggest looking at the output of AES::key to figure that out.

I'm not sure I understand.

 

The output from AES::key is a key value generated by LTM, right?

 

 

I don't think that's what I'm looking for.

 

 

What I'm looking for is the ability to use the server's private key to decrypt the encrypted cookie set by the server.

 

 

Importing the private key from the server to LTM is trivial, but I don't see any way to reference that key within the rule to decrypt the cookie.

 

 

Am I missing something, or is that outside the current capability of LTM?

 

 

thanks!

 

/deb

You'll need to set a variable with the value of the private key in the format of what AES::key puts out.

So to insert the key value into the rule, I'd use something like this, but insert the actual key value in place of "key_value":

when RULE_INIT {
   set ::key "key_value"
}

and then reference the key for decryption like this:

[AES::decrypt $::key $encryptedCookie]

???

Seems like that might raise a security policy violation flag, since the server's private key would be clearly visible in the GUI even for Read-Only users, and also exposed in cleartext in the config files/tech.outs, no?

thanks for the assist!

/deb

Yeah.

 

 

OR....

 

 

You could implement a special virtual server with a rule designed to accepted a connection from a back-end and get the key and load it into the variable for use.

 

 

Just remember that an AES key represented in Tcl needs the "AES " string prepended to the hexadecimal representation of the key. Otherwise the AES::decrypt command will treat the string as a passphrase instead of as the actual key. We also only support 128, 192, and 256 bit keys in Tcl.

 

Ok, thanks.

 

Got it on the preamble for the AES key.

 

 

Thanks for the assist. It's a pre-sales eval conditional on LTM acting on info present in the server-set cookie.

 

 

My recommendation is going to be that they send an unencrypted cookie value, and let us encrypt/decrypt it. But it would be nice to have options if they can't/won't.

 

 

So could you elaborate on grabbing the key with another rule? Very interesting idea. Something like this maybe?

 

 

1) Create a VS to be accessed only by the backend server whose key we want.

 

 

2) Create a script on the backend server to periodically connect to the virtual server and send a packet containing the key value.

 

 

3) Create a rule that will extract the key value from that connection, and populate a global variable making the key value visible to all rules (also to accept connections only from that one server's IP)

 

 

I think we'd need a better 2, though, to ensure that the key value is always available to the rule requiring it. I could see that the VS requiring the decryption key could get a request before the server connects to provide the key. And don't some events like b load re-init global variables?

 

 

Thanks again, and no rush on an answer for this part.

 

 

/deb