How to do RSA encryption and decryption for large payloads in apigee edge cloud?

sravanig231
Participant III

HelloTeam,

At present we are able to do encryption and decryption for specific field from my JSON request payload.

I have requirement to encrypt and decrypt the multiple json values from my request payload(payload content has around 50 key- value pairs).

Example:

Request:

{

"key1": "value1",

"key2":"value2,

.........

}

Response:

{

"key1": "******",

"key2":"*******,

.........

}

Is it possible by using this https://github.com/DinoChiesa/ApigeeEdge-CustomPolicy-RsaCrypto ?

Thank you,

0 3 1,626
3 REPLIES 3

I'd like to understand your requirement in more detail, and I have some questions, and suggestions.

You said "Encryption", but the example you are showing indicates "*****" for value fields, which suggests to me, not an encrypted field, but a Masked field. In other words, the information is obscured or removed, but not encrypted. Can you confirm that you really want encryption?

Let me suppose that you actually want encryption. The example you gave shows individually encrypted fields, rather than a full encryption of the payload. Is that really what you want? Normally encryption is done on a full message. So that you might start with

{
 "key1" : "value1",
 "key2" : "value2",
 .........
}

And the encrypted form would be something like this:

Fdmk94dhUwqbhsd6cw9K1lPAOKBuZwcZUKOjdNZs6jyeYCzIAbogLBNHsScMUIF1c3jAwLX8uWOPVRAJOSXJxSTKPzwamVTzkGhWfFXX5ywEJSiqwyDSRA4pj96yOo8fNa43vuhimofwujc3fahgeGZbQu_H744FByR-CvjFfZyWIjEbuK7Rz1XOBIMtCi0Hnn2xsDuDD0sKSmoBe75wXVRl7mgOEmX2JgAkNVFTifUzQwKp2hwXGruRmxTTsiN4-rwHQKM1hSIlKAJKcLjozw41wFQZKFF8M8q8I8iL6M69Sa-N07_mxSvmGZ9xT6kcHyQ521khKl-Xr0kWDPHZrQ

A party that receives that latter message has no idea what the message says. There is no possibility to infer anything from the ciphertext.

But what you seem to be imagining is something different : doing the encryption on a field-by-field basis. With that, you would get something like this.

{
 "key1" : "Fdmk94dhUwqbhsd6cw9K1lPAOKBuZwcZUKOjdNZs",
 "key2" : "CvjFfZyWIjEbuK7Rz1XOBIMtCi0Hnn2xsD",
 .........
} 

I think the term of art for this is "Format Preserving Encryption". A malicious actor that views such a message may infer a great deal about the content and meaning of the message, via metadata analysis. Encrypting field-by-field is a tricky business, and you need to take care to do it in such a way that meets the privacy goals your organization has.

There are systems that do such things - Voltage SecureData from MicroFocus is one such example. But you need to be thoughtful about applying it.

OK, to answer your question.

Is it possible by using this https://github.com/DinoChiesa/ApigeeEdge-CustomPolicy-RsaCrypto ?

The RSA Callout that you referenced can perform RSA encryption of small data payloads. Maximum 214 bytes for crypto that uses modern, secure padding (OAEP). It's not going to suffice as a general solution to the goal of encrypting JSON, or of encrypting field-by-field. If the JSON exceeds 214 bytes, or in the field-by-field case, if any field exceeds 214 bytes, then the RSA crypto callout will not work.

As stated in the readme, that callout is mostly useful as a lower-level building block for encrypting something small, like an AES key, which you would use in a hybrid encryption approach. The pattern is: Use the RSA callout to generate and encrypt an AES key, then use the AES key to symmetrically encrypt any other payload you have.

The readme for the RSA callout describes this, and references an AES callout that can do the latter part.

That combination of things would avoid the problem of the 214-byte limit, because AES is a block cipher and you can encrypt data of any size. BUT, that particular AES callout does not "walk the tree" of a JSON payload and encrypt each individual field. To do something like that you'd have to write your own AES-based callout to parse the JSON, encrypt each field, and then replace the cleartext with the cipher text.

That's a job. Not a huge job, but not a 5-minute job either. You'd need to design the crypto system, figure out how you're going to generate initialization vectors, what AES mode to use, how to do the padding for small and large blocks... then get that design reviewed by people who are competent, and then build the code that does the work. So that's a job. But the scope of the work is not the main thing that recommends against doing it. The main drawback is that by doing this, you would violate the #1 rule of cyber security, which is "never roll your own encryption".

People make their careers out of analyzing the security of various security schemes, It's not just the ciphers, it's key management, metadata analysis, key strength, modes, etc. Many elements combine to create a crypto system, and if any one of them is not quite right, or if the elements are combined naively, the entire crypto system can be vulnerable.

So I would say, if you really want to encrypt things, use something that is already mature and known to work, which is stuff like XMLDSIG, or JWE.

Today, if you are handling JSON, you can use the builtin GenerateJWT policy in Apigee Edge to encrypt JWT. If you want to encrypt arbitrary data, you can use a community callout to produce a JWE. Either of these can use an RSA key. I suggest you look into those, rather than trying to invent a new scheme with lower-level building blocks.

Hi @dchiesa1 ,

Does Apigee support Voltage encryption, if yes then how to implement it? 

Regards,

Ashmita.

If you have a new question, ask a new question.

ask-a-new-question.png