Layer7 API Management

  • Private Community
Back to discussions
Expand all | Collapse all

symmetric key Encryption

  • 1.  symmetric key Encryption

    Posted Nov 12, 2014 03:53 AM

    Hi,

     

    I am doing some POC on encryption menthods. I can achieve non-soap encryption/decryption but have issues with SOAP based and Symmetric Encryption. I have these two issues..

     

    1) I could find 'Encrypt Element' that can encrypt the SOAP request but couldn't find respective assertion for decrypting

    2) While using 'Symmetric Encryption and Decryption' assertion, I face issues. When a plain text is passed all spaces are truncated and the last letter always misses on decryption, if used on XML, only tags without the escape sequence charecters ( '<', '>" ) are procuded as output. Doesn't work on SOAP message which is used as a string input. Unfortunately there is no documentation on this assertion.

     

    I have used an AES CBC 128 bit key for symmetric encryption with out an vector. If I use the vector the assertion fails.

     

    Can you please help with these issues ?

     

    Thnanks,

    Sri



  • 2.  Re: symmetric key Encryption

    Posted Nov 12, 2014 07:59 AM

    Hello Sri,

     

    If you're working with SOAP services on the gateway, the gateway will automatically decrypt requests during WS-Security pre-processing before it's handed to the service policy for processing. This option can be enabled/disabled in the service properties dialog.

     

    As for symmetric encryption of SOAP messages, are you sure that's what you want to do? It's considered less secure than asymmetric encryption (which WS-Security is based on), and I've never seen it used with SOAP during my many years of experience (which isn't to say that some people don't use it, but it does suggest that it's extremely uncommon).

     

    Regards,

     

    Ben



  • 3.  Re: symmetric key Encryption

    Posted Nov 13, 2014 02:02 AM
      |   view attached

    Hi Ben,

     

    Thanks for your quick reply. I am able to get assymetric decryption based on WS-Sec.

     

    Regarding Symmetric encryption, we are NOT going to suggest this for SOAP messages but I am presenting all encryption scenarios in L7 in my POC, as a result I have this encryption scenario.

     

    I have tried 'Symmetric Key Encryption / Decryption ' assertion and couldn't get the same msg ( Plaintext/ XML / SOAP )  when decrypted.  Not sure if I am doing something wrong, please find attached document that gives a picture on how I am using the assertion and the inputs/outputs of those assertions.

     

    Thanks,

    Sri.

    Attachment(s)

    docx
    SymmetricEncryption_concern.docx   159 KB 1 version


  • 4.  Re: symmetric key Encryption

    Broadcom Employee
    Posted Jan 12, 2015 06:08 PM

    Symmetric Key encryption without a derived key and a rekeying mechanism is a bad idea. What's your use case?



  • 5.  Re: symmetric key Encryption

    Posted Mar 16, 2016 06:38 AM

    Hi,

     

    Even i am trying to use the symmetric key assertion to understand it's functionality.

    I tried posting both XML and JSON Payload and looks like post decryption the output is not same

    Eg XML

    Input for encryption

    <Name>User1</Name>

    Decrypted output

    NameUser1/Name

     

    Similarly for JSON the final decrypted output is not in JSON Format but plaintext.

     

    How is this assertion used then,i don't see it in Help section as well for any details.



  • 6.  Re: symmetric key Encryption

    Broadcom Employee
    Posted Mar 16, 2016 12:38 PM

    I don't know how you're using the assertion, nor how you're viewing the results. Symmetric crypto of bulk data using this assertion isn't the main use case. It's generally meant to encrypt small bits of data to provide compatibility with existing infrastructure, not to build a new cryptosystem. I'd be happy to take a bug report if you can provide us with a self contained reproduction.



  • 7.  Re: symmetric key Encryption

    Posted Mar 17, 2016 12:36 AM

    How does one encrypt & decrypt an entire Non soap XML or JSON in CA APIM?



  • 8.  Re: symmetric key Encryption

    Broadcom Employee
    Posted Mar 17, 2016 12:44 AM

    Normally you don't. You use SSL which encrypts all the data for you and has protection against many of the pitfalls of handbuilt cryptosystems.



  • 9.  Re: symmetric key Encryption

    Broadcom Employee
    Posted Mar 17, 2016 12:43 AM

    I had one of my staff look into this. Turns out you're not using the assertion quite correctly. There's some notes in the documentation. As I don't quite know how you obtained the assertion because it's not part of the standard build, whoever gave it to you needs to give you the proper documentation. 

     

    It needs to have both symmetric key and plaintext base64 encoded - it's meant to be used to encrypt binary data too, so we chose to require all of the test to be base64 encoded.

     

    Also note that most ciphers are block ciphers and often need the plaintext to be padded out to 4 byte hunks. This is handled for you if you use base64 encoding.



  • 10.  Re: symmetric key Encryption

    Posted Mar 18, 2016 01:10 PM

    Hi Sri,

    Could you let me know where did you get the assertion from? I am using API Gateway 8.3 version and could not find this assertion. I am looking for a similar functionality.

    Regards,

    Trinath



  • 11.  Re: symmetric key Encryption

    Broadcom Employee
    Posted Mar 21, 2016 01:43 PM

    What is your use case? We prefer that people work with my team if they want some of this non-standard functionality.

     

    Invariably, we've found when we encounter a use cases where people want symmetric cryptography, they don't have parts of their design for key derivation or re-keying.

    Those issues severely weaken security.