Example 10: Policy-based RSA Encryption

The RSA algorithm uses the PKEY_ENCRYPT_PEM() function to encrypt HTTP predefined and user-defined header or body content. The function accepts only RSA public keys (not private keys) and the encrypted data cannot be longer than the length of the public key. When the data being encrypted is shorter than the key length, the algorithm uses RSA_PKCS1 padding method.

In a sample scenario, the function can be used with B64ENCODE() function in a rewrite action to replace an HTTP header value with a value encrypted by an RSA public key. The data being encrypted is then decrypted by the recipient using the RSA private key.

You can implement the feature by using a rewrite policy. To do this, you must complete the following tasks:

  1. Add RSA public key as a policy expression.
  2. Create rewrite action.
  3. Create rewrite policy.
  4. Bind rewrite policy as global.
  5. Verify RSA encryption

Policy-based RSA encryption by using NetScaler command interface

Complete the following tasks to configure policy-based RSA encryption by using the NetScaler command interface.

To add RSA public key as a policy expression by using the NetScaler command interface:

add policy expression pubkey '"-----BEGIN RSA PUBLIC KEY-----MIGJAoGBAKl5vgQEj73Kxp+9yn1v5gPR1pnc4oLM2a0kaWwBOsB6rzCIy6znwnvwCY1xRvQhRlJSAyJbloL7wZFIJ2FOR8Cz+8ZQWXU2syG+udi4EnWqLgFYowF9zK+o79az597eNPAjsHZ/C2oL/+6qY5a/f1z8bQPrHC4GpFfAEJhh/+NnAgMBAAE=-----END RSA PUBLIC KEY-----"'

To add rewrite an action to encrypt an HTTP header request by using the NetScaler command interface:

add rewrite action encrypt_act insert_http_header encrypted_data

'HTTP.REQ.HEADER("data_to_encrypt").PKEY_ENCRYPT_PEM(pubkey).B64ENCODE'

To add rewrite policy by using the NetScaler command interface:

add rewrite policy encrypt_pol 'HTTP.REQ.HEADER("data_to_encrypt").EXISTS' encrypt_act

To bind rewrite policy global by using the NetScaler command interface:

bind rewrite global encrypt_pol 10 -type RES_DEFAULT

To verify RSA encryption by using the NetScaler command interface:

>curl -v -H "data_to_encrypt: Now is the time that tries men's souls" http://10.217.24.7/

* About to connect() to 10.217.24.7 port 80 (#0)

*   Trying 10.217.24.7...

* connected

* Connected to 10.217.24.7 (10.217.24.7) port 80 (#0)

> GET / HTTP/1.1

> User-Agent: curl/7.24.0 (amd64-portbld-freebsd8.4) libcurl/7.24.0 OpenSSL/0.9.8y zlib/1.2.3

> Host: 10.217.24.7

> Accept: */*

> data_to_encrypt: Now is the time that tries men's souls

>

< HTTP/1.1 200 OK

< Date: Mon, 09 Oct 2017 05:22:37 GMT

< Server: Apache/2.2.24 (FreeBSD) mod_ssl/2.2.24 OpenSSL/0.9.8y DAV/2

< Last-Modified: Thu, 20 Feb 2014 20:29:06 GMT

< ETag: "6bd9f2-2c-4f2dc5b570880"

< Accept-Ranges: bytes

< Content-Length: 44

< Content-Type: text/html

< encrypted_data: UliegKBJqZd7JdaC49XMLEK1+eQN2rEfevypW91gKvBVlaKM9N9/C2BKuztS99SE0xQaisidzN5IgeIcpQMn+CiKYVlLzPG1RuhGaqHYzIt6C8A842da7xE4OlV5SHwScqkqZ5aVrXc3EwtUksna7jOLr40aLeXnnB/DB11pUAE=


<

* Connection #0 to host 10.217.24.7 left intact

<html><body><h1>It works!</h1></body></html>* Closing connection #0

Subsequent execution of this curl command with the same data to encrypt shows that the encrypted data is different each execution. This is because the padding inserts random bytes at the beginning of the data to encrypt, causing the encrypted data to be different each time.

>curl -v -H "data_to_encrypt: Now is the time that tries men's souls" http://10.217.24.7/

. . .

< encrypted_data: DaOjtl1Pl4DlQKf58MMeL4cFwFvZwhjMqv5aUYM5Iyzk4UpwIYhpRvgTNu2lXEVc1H0tcR1EGC/ViQncLc4EbTurCWLbzjce3+fknnMmzF0lRT6ZZXWbMvsNFOxDA1SnuAgwxWXy/ooe9Wy6SYsL2oi1sr5wTG+RihDd9zP+P14=

>curl -v -H "data_to_encrypt: Now is the time that tries men's souls" http://10.217.24.7/

. . .

< encrypted_data: eej6YbGP68yHn48qFUvi+fkG+OiO8j3yYLScrRBU+TPQ8WeDVaWnDNAVLvL0ZYHHAU1W2YDRYb+8cdKHLpW36QbI6Q5FfBuWKZSI2hSyUvypTpCoAYcHXFv0ns+tRtg0EPNNj+lyGjKQWtFi6K8IXXISoDy42FblKIlaA7gEriY=

Policy-based RSA encryption by using the GUI

The GUI enables you to complete the following tasks:

To add RSA public key as a policy expression by using the GUI:

  1. Sign into the NetScaler appliance and navigate to Configurations > AppExpert > Advanced Expressions.
  2. In the details pane, click Add to define an RSA public key as an advanced policy expression.
  3. In Create Expression page, set the following parameters:
    1. Expression name. Name of the advanced expression.
    2. Expression. Define RSA public key as an advanced expression using the Expression Editor.
    3. Comments. A brief description of the expression.
  4. Click Create.

To add rewrite an action to encrypt an HTTP header request by using the GUI:

  1. Sign into the NetScaler appliance and navigate to Configurations > AppExpert > Rewrite > Actions.
  2. In the details pane, click Add to add a rewrite action.
  3. In the Create Rewrite Action screen, set the following parameters:
    1. Name. Name of the rewrite action.
    2. Type. Select action type as INSERT_HTTP_HEADER.
    3. Use the action type to insert a header. Enter the name of the HTTP header that needs to be rewritten.
    4. Expression. Name of the advanced policy expression associated to the action.
    5. Comments. A brief description of the rewrite action.
  4. Click Create.

To add rewrite advanced policy by using the GUI:

  1. Sign into the NetScaler appliance and navigate to Configurations > AppExpert > Rewrite > Policies.
  2. In the Rewrite Policies page, click Add to add a rewrite policy.
  3. In the Create Rewrite Policy page, set the following parameters:
    1. Name. Name of the rewrite policy.
    2. Action. Name of the rewrite action to perform if the request or response matches this rewrite policy.
    3. Log Action. Name of message log action to use when a request matches this policy.
    4. Undefined-Result Action. Action to perform if the result of policy evaluation is undefined.
    5. Expression. Name of the advanced policy expression that triggers the action.
    6. Comments. A brief description of the rewrite action.
  4. Click Create.**

To bind rewrite policy global by using the GUI:

  1. Sign into the NetScaler appliance and navigate to Configurations > AppExpert > Rewrite > Policies.
  2. In the Rewrite Policies screen, select a rewrite policy that you want to bind and click Policy Manager.
  3. In the Rewrite Policy Manager page, in the Bind Points section, set the following parameters:
    1. Bind Point. Select the binding point as Default Global.
    2. Protocol. Select the protocol type as HTTP.
    3. Connection Type. Select the connection type as Request.
    4. Click Continue to view the Policy Binding section.
    5. In the Policy Binding section, select the rewrite policy and set the bind parameters.
  4. Click Bind.

Example 10: Policy-based RSA Encryption