Forum Discussion

ARS_70214's avatar
ARS_70214
Icon for Nimbostratus rankNimbostratus
Mar 17, 2010

problem to decrypt AES

Hello,

 

 

I have currently some problems with to decrypt AES encrypted string in f5 irules.

 

 

In fact It works well when I encrypt and decrypt a string in the same irule, but if I want to decrypt an already encrypted string then the AES::decrypt function return an empty string. Of course the key used to decrypt the encrypted string is the key I used to encrypt this one.

 

 

when HTTP_REQUEST {

 

 

/* Below is the part working */

 

set ::key be474444865c70f3e13624aec61eb292cef6cf5c4ce1725dd4fa49a93bf997c8

 

log local0. "key: $::key"

 

 

set ::toencrypt "test"

 

log local0. " $::toencrypt"

 

 

set ::encrypted [b64encode [AES::encrypt $::key $::toencrypt]]

 

log local0. "encrypted: $::encrypted"

 

 

set ::decrypted [AES::decrypt $::key [b64decode $::encrypted]]

 

log local0. "decrypted: $::decrypted"

 

 

 

/* the following example doesn't work */

 

set ::alreadyencrypted "if5fcuQNslSrend46PiyfBV/Bu60+lfXLAN76wSFxtmk13EnzNi0Zfu/"

 

log local0. "alreadyencrypted: $::alreadyencrypted"

 

set ::decrypted2 [AES::decrypt $::key [b64decode $::alreadyencrypted]]

 

log local0. "alreadydecrypted: $::decrypted2"

 

}

 

 

I'm asking if there is not something else to do to declare the encrypted string (bold line).

 

 

Do you know what to do to fix this problem?

 

 

Many thanks
application delivery
dev
devops
iRules

2 Replies

  • JCohen's avatar
    JCohen
    Ret. Employee
    Jul 08, 2011
    When specifying a key to AES::encrypt or AES::decrypt it can either be a key object as generated by AES::key (a string with the correct format) or a passphrase.

     

     

    The AES::key command generates object represented as a list with 3 elements or a string in the format "AES (128 | 192 | 256) <32, 48, 64 HEX digits respectively>". If you are using a string to set the key, it must be in this format.

     

     

    A string that does not match the above format will be interpreted as a passphrase and will be used (along with random salt) to generate a key. This is where AES::decrypt is affected by ID224113.

     

     

     

    You need to change

     

    set ::key be474444865c70f3e13624aec61eb292cef6cf5c4ce1725dd4fa49a93bf997c8

     

    to

     

    set ::key "AES 256 be474444865c70f3e13624aec61eb292cef6cf5c4ce1725dd4fa49a93bf997c8"

     

     

    Now, using global variables and CMP is a whole other discussion. :)

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/CMPCompatibility.html

     

     

    Jason

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 08, 2011
    Now, using global variables and CMP is a whole other discussion. :)

     

     

    For 10.x you can use the static:: namespace

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/static

     

     

    Aaron