Topic
  • 6 replies
  • Latest Post - ‏2015-12-29T20:51:28Z by HermannSW
dp__user
dp__user
3 Posts

Pinned topic Encryption Problem

‏2013-04-17T17:20:34Z |

Hi,

I've got a public private key pair. To simulate what will happen with the third parties, I am trying to encrypt using the public key and the decrypt using the private key.

My xslt has:

xsl:variablename="encryptedString"select="string(dp:encrypt-string($encryptionType,$pubkey,'test'))"/>

I have tred setting the encryptionType to all options from: http://publib.boulder.ibm.com/infocenter/wsdatap/v3r8m1/index.jsp?topic=%2Fxi50%2Fextensionfunctions84.htm

But keep getting an error in the logs saying: *Invalid key length for algorithm*

The key is a ssh-rsa key.

Any ideas?

My test private and public keys are attached.

 

 

 

 

Attachments

Updated on 2013-04-18T08:18:25Z at 2013-04-18T08:18:25Z by dp__user
  • craig oddy
    craig oddy
    4 Posts

    Re: Encryption Problem

    ‏2013-04-18T10:11:07Z  

    I don't know if this will help but I have found that the invalid key length error is returned somewhat generically for a variety of errors -- for example, if your stylesheet failed to declare the variable containing algorithm name you would get that error, so the problem may not be directly related to the key length.  

    As well, note that  dp:encrypt-string function is for symmetric crypto functions (where the same key value will be used to both encrypt and decrypt).  One example of such would be for DES3, and using such you would set your variable like:

            <!-- set the algorithm to be used -->
            <xsl:variable name="encryptionType" select="'http://www.w3.org/2001/04/xmlenc#tripledes-cbc'"/>

    in this case the actual key value would need be something like:

    0x0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF

     

    Again though, note that this same key value would need to be used on the decrypt as was used on the encrypt if you are to get your original cleartext value returned.

     

     

     

     

    Updated on 2013-04-18T10:11:42Z at 2013-04-18T10:11:42Z by craig oddy
  • dp__user
    dp__user
    3 Posts

    Re: Encryption Problem

    ‏2013-04-18T11:37:03Z  

    I don't know if this will help but I have found that the invalid key length error is returned somewhat generically for a variety of errors -- for example, if your stylesheet failed to declare the variable containing algorithm name you would get that error, so the problem may not be directly related to the key length.  

    As well, note that  dp:encrypt-string function is for symmetric crypto functions (where the same key value will be used to both encrypt and decrypt).  One example of such would be for DES3, and using such you would set your variable like:

            <!-- set the algorithm to be used -->
            <xsl:variable name="encryptionType" select="'http://www.w3.org/2001/04/xmlenc#tripledes-cbc'"/>

    in this case the actual key value would need be something like:

    0x0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF

     

    Again though, note that this same key value would need to be used on the decrypt as was used on the encrypt if you are to get your original cleartext value returned.

     

     

     

     

    Ah, I didn't know that dp:encrypt-string requires the same key to be used for encyption and decryption.

    I've just done a test with a different symmetric key and the encryption and decryption worked (this was using an example from these forums)

    Is there a function avaliable that allows me to use different keys?

  • dp__user
    dp__user
    3 Posts

    Re: Encryption Problem

    ‏2013-04-18T18:05:51Z  

    Been doing some reading on this, and I may be trying to do the incorrect thing.

    Is this the correct procedure:

    I send my public key to third party, they encrypt the message using a symmetric key. The symmetric key is then encrypted using my public key. When DataPower recieves the the message, the symmetric key is decrypted using my private key, and then I can use dp:decrypt to decrypt the message.

    So when I'm encrypting a message, I follow the same procedure in DataPower? (I need to encrypt and decrypt) Is that usual process, or can encryption be done using the public key?

    Also, can crypto shared secret key object be used to hold a copy of the public key to be used, so that it can be refenced in DataPower?

  • inestlerode
    inestlerode
    166 Posts

    Re: Encryption Problem

    ‏2013-04-18T18:34:15Z  

    dp:encrypt-string is only for symmetric cryptography (like 3DES and AES).  You are trying to use an RSA key for this, so it doesn't work.

    dp:encrypt-key and dp:decrypt key are for asymmetric cryptography (RSA).

    However, 99% of the time you should not be calling any of these functions directly because you should be using the encrypt/decrypt actions instead.  There are many security pitfalls when using these functions directly involving oracle attacks against timing variations in the decryption step, all of which can be avoided by using the encrypt/decrypt actions instead.

    Note that RSA encryption on DataPower (whether through the encrypt action or the lower level extension functions) requires the use of X.509 certificates and you only have an SSH public key (not an X.509 certificate).  You can use the keygen action to generate an X.509 certificate.

  • soaDevArch
    soaDevArch
    82 Posts

    Re: Encryption Problem

    ‏2015-12-28T18:15:58Z  

    dp:encrypt-string is only for symmetric cryptography (like 3DES and AES).  You are trying to use an RSA key for this, so it doesn't work.

    dp:encrypt-key and dp:decrypt key are for asymmetric cryptography (RSA).

    However, 99% of the time you should not be calling any of these functions directly because you should be using the encrypt/decrypt actions instead.  There are many security pitfalls when using these functions directly involving oracle attacks against timing variations in the decryption step, all of which can be avoided by using the encrypt/decrypt actions instead.

    Note that RSA encryption on DataPower (whether through the encrypt action or the lower level extension functions) requires the use of X.509 certificates and you only have an SSH public key (not an X.509 certificate).  You can use the keygen action to generate an X.509 certificate.

    We've to determine teh client on the fly and then utilize the public key to encrypt the message. So I believe we cannot utilize the action but only the dp functions. Is this still an issue with encrypt functions ?.

     

    Regards,

    Salla

  • HermannSW
    HermannSW
    6065 Posts

    Re: Encryption Problem

    ‏2015-12-29T20:51:28Z  

    We've to determine teh client on the fly and then utilize the public key to encrypt the message. So I believe we cannot utilize the action but only the dp functions. Is this still an issue with encrypt functions ?.

     

    Regards,

    Salla

    Public key of client for response back to client?

    Or to backend?

    Please describe your requirement in more detail, and if it does not match exactly with this thread's topic, then please create a new thread with your question.


    Hermann.