NimbostratusHi All,
I have a requirement to encrypt certain POST Contents with Public Key from downstream server before its passed on to it through an untrusted network.
Is it possible to use RSA Public key in CRYPTO Commands. TMOS V11.5+
Regards R
NimbostratusiRule CRYPTO appears to be symmetric, not asymmetric. What you are asking really should be done by the app using encrypt and signature. However, if you really wanted to do it, you could probably use a sideband connection to a crypto as a service type app. Of course you'd need to create such a service as well.
I'm not sure why SSL doesn't solve this for you in general. If you are worried about integrity of the connection, doing strict validations of server cert as well as requiring client authentication on the server side would make more sense to me.
NimbostratusThanks Nitass for the confirmation. Could you please give the command format for rsa with OAEP ?
like would this below work:
[CRYPTO::encrypt -alg rsa-256-oaep -keyhex $key -ivhex $iv $unencrypted_data]
Hi Marc,
Thanks for your response. We SSL offload on f5 then further our requirement is to encrypt only certain contents like PI data over HTTP on the server side - whereby we have just the public key from the downstream server.
Regards
Employeei do see only rsa-priv and rsa-pub algorithms.
e.g.
configuration
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) create sys file ifile keyfile1 source-path file:///config/ssl/ssl.key/default.key
Copying file "file:///config/ssl/ssl.key/default.key" ...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1704 100 1704 0 0 2411k 0 --:--:-- --:--:-- --:--:-- 0
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) create ltm ifile keyifile1 file-name keyfile1
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos)
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
when RULE_INIT {
set static::key [ifile get keyifile1]
}
when HTTP_REQUEST {
HTTP::collect [HTTP::header "Content-Length"]
}
when HTTP_REQUEST_DATA {
HTTP::respond 200 content [CRYPTO::decrypt -alg rsa-priv -key $static::key [b64decode [HTTP::payload]]]
}
}
generate encrypted text
[root@ve11a:Active:In Sync] config echo "hello world123" | openssl rsautl -encrypt -certin -inkey /config/ssl/ssl.crt/default.crt | base64
OBrsKKH2Ewi8nmbp7ZRzaJfC92WYJscCMlZQow6DOiBeSZ50Au8xLBMxko0JruJToiDRhtbKfGay
r6cMphQESmxXxbGBZy11DayfIcPN1B3Vk5BeIRoion4RX+/hwICJFDP/oww3DT3ziiIt0jaMlKID
UGT53wWrhXnyBDGXzUoYmbGh4yv5d4GPIS5fF1qMmV21fuID3Fdhu3shdDEPPnvYDK45Qu5tHArO
cEeIwnG2KLPgmVGqLMjHC3uA8iVUw+U1ibsSUAbntwgu7Wv9pTgLCu4Qz2o4mojkCNuFlp5vY3hQ
7dZ9RjvkOhjF3VNHAgyIqX4TJDn6ntRioJeN1Q==
test
[root@centos1 ~] curl -i -d OBrsKKH2Ewi8nmbp7ZRzaJfC92WYJscCMlZQow6DOiBeSZ50Au8xLBMxko0JruJToiDRhtbKfGayr6cMphQESmxXxbGBZy11DayfIcPN1B3Vk5BeIRoion4RX+/hwICJFDP/oww3DT3ziiIt0jaMlKIDUGT53wWrhXnyBDGXzUoYmbGh4yv5d4GPIS5fF1qMmV21fuID3Fdhu3shdDEPPnvYDK45Qu5tHArOcEeIwnG2KLPgmVGqLMjHC3uA8iVUw+U1ibsSUAbntwgu7Wv9pTgLCu4Qz2o4mojkCNuFlp5vY3hQ7dZ9RjvkOhjF3VNHAgyIqX4TJDn6ntRioJeN1Q== http://172.28.24.10
HTTP/1.0 200 OK
Server: BigIP
Connection: Keep-Alive
Content-Length: 15
hello world123