Layer7 API Management

Hi,

 I am using #symmetrickeyencryptiondecryption tactical assertion for AES/CBC/PKCS5 encryption. For decryption, I need to have IV value; however not getting way to read #iv value used while encryption.

Please help to get the variable name, which stores IV value.

Thanks,

Sid.

Sid,

Good afternoon. This enhancement of an additional optional field, labelled IV, is to allow deciphering of cipher data using AES/CBC that doesn't contain the IV used to create the cipher data to start with. (eg: openSSL) This field is only available and used when data is being deciphered with AES/CBC cipher. If the data does contain an IV within it's cipher data, this field must be left blank.

The IV can be an explicit value or a context variable containing the IV. Either way, the value must be a binary base64 encoded string. Use the Hex String to Binary Base 64 Tactical Assertion (Request from support) to convert a hex string to a binary base64 encoded string if necessary. The value is needing to be know as it will not be with the cipher data.

Sincerely,

Stephen Hughes

Director, Technical Support

Hi Stephen,

 How can I set up my own IV value while encryption. I believe the assertion uses random IV value while encryption and append that to the encrypted data.

However, if I want to use my own IV value, I don't see any way to do that. Can you please explain this.

Thanks,

Sid.

Hello SID,

I think that Stephen has explained it: 

"...The IV can be an explicit value or a context variable containing the IV. Either way, the value must be a binary base64 encoded string. Use the Hex String to Binary Base 64 Tactical Assertion (Request from support) to convert a hex string to a binary base64 encoded string if necessary."

In other words, you would have to either use an online tool to convert the IV from binary to base64 encoded binary or the tactical assertion that Stephen specified, and then use it either explicitely (copy-paste) in the field, or create a variable of type string, copy-paste the base64 value of the IV and then reference that variable in that field.

I hope this helps

Maurizio

Sid,

Thank you for clarifying what you were looking for. The IV value as you mentioned is set dynamically by the assertion for encrypting as this is the most secure way to ensure random settings so the encrypted value can not be guessed. The IV value in the assertion is only available when decrypting as the IV value may not be included in the data.  WE strongly recommend using other more modern methods of encryption.

• To provide encrypted credentials, JWT, JWE, JWS are good choices. 
• For encrypted message bodies, JWE comes to mind.
• Older standards like SOAP, WSS, SAML do a lot of the same things as JWT, JWS, JWE. 

Sincerely,

Stephen Hughes

Director, CA Support

Sp, con you confirm that is NOT possible to specify an own IV when cyphering with the SymmetricKeyEncryptionDecryption Tactical Assertion? It's possible to specify it, in Base64, only in deciphering mode, correct?

Hi Stephen, more than specifying an IV for crypting we need a way to decrypt the message from a JavaScript code; for this I think I need to know where the random generated IV is inserted in the output message (it must be there or it wouldn't be possible to decrypt it).. iI tried to use the first 16 bytes from the message as IV string but I haven't be able to decrypt a message.

Can you help me?

Thanks