Topic
5 replies Latest Post - ‏2012-11-16T16:45:20Z by inestlerode
SystemAdmin
SystemAdmin
6772 Posts
ACCEPTED ANSWER

Pinned topic Trying to decrypt in datapower using RSA private key

‏2012-11-09T16:22:47Z |
Hi,

I am new to DataPower and to make matters worse I am also new to XSL, XSLT and XPATH. My objective is to encrypt a string in java, send it to DataPower
along with other information in an HTTP "GET" request, decrypt it and compare it to one of the parameters in the request using an RSA public/private
key pair. If the information matches then route the request to a backend URL, and if it doesn't match do no more processing.

I have generated the RSA keys in DP and have been able to encrypt the string in java using the public key and send the request to DP.

I have configured a Multi-Protocol Gateway on Dp with a policy that has 4 actions:

1) Match action, which matches any HTTP GET.

2) Convert query params to XML action.
The input to this action is(I shortened the iebToken considerably for brevity):
/?iebToken=Yr1vNMPw0Cn%2BQaMg&machine_serial=1234567&machine_type=ABCD&machine_signature=EFGH&authorization_code=gsgtt&callback=dojo.io.script.jsonp_dojoIoScript2._jsonpCallback

The output from the action is:
<request>

<url>/?iebToken=Yr1vNMPw0Cn%2BQaMg&machine_serial=1234567&machine_type=ABCD&machine_signature=EFGH&authorization_code=gsgtt&callback=dojo.io.script.jsonp_dojoIoScript2._jsonpCallback</url>
<base-url>/</base-url>
<args src="url">
<arg name="iebToken">Yr1vNMPw0Cn+QaMg</arg>
<arg name="machine_serial">1234567</arg>
<arg name="machine_type">ABCD</arg>
<arg name="machine_signature">EFGH</arg>
<arg name="authorization_code">gsgtt</arg>
<arg name="callback">dojo.io.script.jsonp_dojoIoScript2._jsonpCallback</arg>
</args>

</request>

3) Decrypt action. I attempted to decrypt the "iebToken" here using the private key generated earlier.
In the Configure Decrypt Action "Basic" tab I selected the "Selected Elements (Field-Level)" radio button.
In Configure Document Crypto Map I have XPath Expression: //*

This is where I need some help. Nothing happens here at all as far as I can tell. I enabled the probe and looked at the output from this step and it's the same as the
input. It could also be working and as a DP novice I don't know how to tell if it is or isn't.

4) Results action - no modificaton

Can anyone help me with this?
Updated on 2012-11-16T16:45:20Z at 2012-11-16T16:45:20Z by inestlerode
  • HermannSW
    HermannSW
    2818 Posts
    ACCEPTED ANSWER

    Re: Trying to decrypt in datapower using RSA private key

    ‏2012-11-12T18:20:43Z  in response to SystemAdmin
    > and have been able to encrypt the string in java using the public key and send the request to DP.
    >
    Can you please attach the Java code you used?

     
    Hermann<myXsltBlog/> <myXsltTweets/>
    • SystemAdmin
      SystemAdmin
      6772 Posts
      ACCEPTED ANSWER

      Re: Trying to decrypt in datapower using RSA private key

      ‏2012-11-12T19:31:22Z  in response to HermannSW
      Here is the java:

      // encrypt the token
      byte[] encryptedToken = new byte[0];
      BASE64Encoder b64Encoder = new BASE64Encoder();
      try {
      ByteArrayOutputStream baos = new ByteArrayOutputStream();
      ObjectOutputStream oos = new ObjectOutputStream(baos);
      oos.writeObject(token);
      // Close the streams
      oos.close();
      baos.close();
      encryptedToken = encryptToken(baos.toByteArray());
      } catch (IOException e) {
      logwriter.logException(LogLevel.ERROR, e);
      }
      return b64Encoder.encode(encryptedToken);

      private static byte] encryptToken(byte[ data) throws IOException {
      try {
      PublicKey pubKey = getPublicKey("/temp/" + PUBLIC_KEYFILE);
      Cipher cipher = Cipher.getInstance("RSA");
      cipher.init(Cipher.ENCRYPT_MODE, pubKey);
      byte[] cipherData = cipher.doFinal(data);
      return cipherData;
      } catch (Exception e) {
      throw new RuntimeException("Error encrypting token", e);
      }
      }

      private static PublicKey getPublicKey(String filename)
      throws IOException {
      File f = new File(filename);
      FileInputStream fis = new FileInputStream(f);
      DataInputStream dis = new DataInputStream(fis);
      try {
      CertificateFactory d = CertificateFactory.getInstance("X.509");
      X509Certificate x509 = (X509Certificate)d.generateCertificate(dis);
      PublicKey pubKey = x509.getPublicKey();

      return pubKey;
      } catch (Exception e) {
      throw new RuntimeException("Error getting public key", e);
      } finally {
      dis.close();
      }
      }
  • SystemAdmin
    SystemAdmin
    6772 Posts
    ACCEPTED ANSWER

    Re: Trying to decrypt in datapower using RSA private key

    ‏2012-11-13T04:52:18Z  in response to SystemAdmin
    I recall attempting something like this some years back and was told that I shouldn't be using asymmetric encryption directly. Rather, symmetric encryption should be used and, if necessary, asymmetric encryption can be used to transmit the symmetric key. The reason is because asymmetric encryption only works well on small input sizes. The DP public APIs support this method.
    • SystemAdmin
      SystemAdmin
      6772 Posts
      ACCEPTED ANSWER

      Re: Trying to decrypt in datapower using RSA private key

      ‏2012-11-14T13:47:13Z  in response to SystemAdmin
      Actually, the data we are encrypting is quite small, probably smaller than the key itself. I am looking to see if what I have done on the DataPower side is correct or not. It seems like the decrypt step should have done something. I was hoping someone out there has done something similar and can give me an idea of where I went wrong.
      • inestlerode
        inestlerode
        164 Posts
        ACCEPTED ANSWER

        Re: Trying to decrypt in datapower using RSA private key

        ‏2012-11-16T16:45:20Z  in response to SystemAdmin
        Regardless of whether your data is small or not it is never a good idea to use RSA encryption directly on the data payload. No protocol out there does this and for good reason. By doing this you are almost definitely creating a ciphertext validity oracle that will make you vulnerable to various cryptographic attacks such as this one:
        http://www.springerlink.com/content/j5758n240017h867/

        Real protocols use a random symmetric key (3DES or AES) to encrypt the payload and then they use RSA to encrypt that random symmetric key. This is the more secure way to do something like this. Once you move to such a system you will discover why there are existing standards in this area to be used. There are issues of how to encode the two pieces and how to process them securely on the receiving end (without creating the oracle that leads to the above attack).

        We have already dealt with all of these issues in the standard decrypt and cryptobin actions. I would suggest using standards compliant XML Encryption or PKCS#7 for this so that you can use the decrypt action or cryptobin decrypt action respectively rather than trying to reinvent the wheel (introducing security vulnerabilities in the process).