This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to perform AES-256 symmetric field Level Encryption using Javascript/Node in Apigee

Posted on 12-18-2017 03:29 AM
leeladuggirala
New Member
Reply posted on --/--/---- --:-- AM

Hi All,

Please let me know procedure/steps to perform Aes-256 Symmetric field level encryption for the particular input field value.

Thanks..

0 3 2,008
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

You can do AES encryption in a JS callout, but it's probably not a good idea for a production system that will run at scale.

JS is not ideal for crypto in general, and the JS callout in Apigee Edge is especially non-optimal from a compute perspective. In my onesy-twosy tests, some encryption of small payloads can take over 2 seconds. That's just not acceptable.

Even so, it is possible. Attached here is a demonstration API Proxy that uses the sjcl for doing AES crypto.

apiproxy-sjcl-demo.zip

This demonstration shows encryption of the entire request.content . It looks like this: 

curl -i https://amer-demo2-test.apigee.net/sjcl-demo/encrypt?passphrase=IloveAPIs\! -d 'The quick brown fox jumps over the lazy dog.' 
HTTP/1.1 200 OK
Date: Mon, 18 Dec 2017 19:29:38 GMT
Content-Type: application/json
Content-Length: 245
Connection: keep-alive
{
    ciphertext: {"iv":"r3hPe5/ArYUYIrM5AW07NQ==","v":1,"iter":10000,"ks":128,"ts":64,"mode":"ccm","adata":"","cipher":"aes","salt":"bMZSe6Zmew8=","ct":"52jkovk/wJYM4hOpS5gUA89XhWmT0wwvRSjFuo0QgyrIB4/WISgIx5rfHZVREsLNbhJBoA=="},
    error: ""
}

You said you want to encrypt "a particular field value".

To use this to encrypt just "one field", you would need to modify the policy config to encrypt the variable holding the field. If the input is JSON, this means you would need to shred the JSON and then re-serialize it.

To make it more robust, you will want to handle passphrases more securely; passing the in queryparams is a huge no-no. Don't do that.

But Seriously, though; don't bother with any of that. Do encryption in a Java callout.

----

ps: Apigee have looked at adding AES encrypt/decrypt to the existing functions available to a Message Template. This would provide the performance advantage of Java with the convenience of a simple policy. It might look like this: 

<AssignMessage name='AM-example-1'>
  <AssignVariable>   
    <Name>ciphertext</Name>
    <Template>{aesEncrypt(variableContainingPassphrase,variableContainingCleartext)}</Template>
  </AssignVariable> 
</AssignMessage>

We've considered it, but we haven't implemented this yet.

apiproxy-sjcl-demo.zip
0 Likes

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

BTW, here is a Java callout that performs AES encryption of arbitrary context variables.

It's fast, much faster than the JS variation. You don't need to compile Java to use it. Check the readme.

0 Likes

Posted on --/--/---- --:-- AM
leeladuggirala
New Member
In response to DChiesa
Reply posted on --/--/---- --:-- AM

Thank you much @Dino. It helps alot.. I will implement and will get back to you..!

0 Likes