Forum Discussion
Chad_Mentzer_14
Nimbostratus
NimbostratusiRule Cryptographic commands
Forgive me if someone has already addressed this in a previous post...
Could someone please point me to some documentation listing out the cryptographic commands available within iRules? Or e-mail the list to me if the list is too long. ("chad" at "iship" dot "com") I have not found the documentation for some of the commands referenced here in iRules. (e.g. AES commands)
BTW - The examples in this forum are invaluable. Nice work and Thank You! I hope more examples are included in the formal documentation in the future.
Thank you in advance.
-Chad
6 Replies
- Chad, here is a brief description of the available rules.
AES::key [“128” | “192” | “256”] - Create an AES key to encrypt/decrypt data. We default to 128 bit key if the key length is not specified. AES::encrypt - Encrypt the data using the previously created AES key. AES::decrypt - Decrypt the data using the previously created AES key. AES::encrypt_passwd [“128” | “192” | “256”] - Encrypt the data using a key generated from the pass phrase. We default to 128 bit key if the key length is not specified. AES::decrypt_passwd [“128” | “192” | “256”] - Decrypt the data using a key generated from the pass phrase. We default to 128 bit key if the key length is not specified.
If you look through the previous postings, you should be able to find plenty of examples that demonstrate their use. Hope this helps! 
Chad_Mentzer_14Thank you, very much.
Do you happen to know if there are other similar undocumented commands? For instance, DES, triple DES or access to asymmetric encryption?- Those are all the encryption commands that we currently expose in TCL. Don't forget we have a much bigger array of ciphers available in our SSL filter.
We also expose some hashing and base64 encoding routines that is documented at.
http://devcentral.f5.com/Default.aspx?TabID=29&newsType=ArticleView&articleId=29 (Click here) - Chad_Mentzer_14A few more questions come to mind:
1) If you purchase the BIG-IP FIPS Hardware Option, do the iRules use the hardware to do the encryption by default?
2) Is it possible to save an AES key for export? I would like to be able to share the key with a third party. Also, I would like to be able to import a specific key to use for decryption. - > 1) If you purchase the BIG-IP FIPS Hardware ...
This question can probably be answered best by your BigIP sales representative.
> 2) Is it possible to save an AES key for export....
The AES encryption exposed in iRules uses symmetric keys as you probably know by now. Although it is using very well established and secure cryptographic algorithms, it’s designed to generally be encrypted and decrypted within the BigIP.
If you can provide us with a little bit more information on what you are trying to do, maybe we could try and see if there are other ways in which we could help you with your problem. - 1) No, the AES rule commands don't take advantage of the hardware (at least not yet).
2) You could do something crazy like save the key in a global Tcl variable and then create a special virtual on an internal vlan and just always HTTP::respond with a header containing the key. This would allow some remote server to query the key. You could even make the virtual search the request for a header and set the key from it.
