Wikis - Page

AES encrypt and decrypt in NetIQ Identity Manager policies

0 Likes

How to implement AES encrypt and decrypt to NetIQ Identity Manager policies using standard ecmascript tools



AES stands for Advanced Encryption Standard and is used as an encryption method in high security environments such as governmental data archives. It is a symmetric cryptographic algorithm meaning it can do crypting and decrypting making is quite useful in identity management scenarios where sensitive data can travel across network.

This example shows how to do 128-bit key AES encryption and decryption using NetIQ Identity Manager ecmascript tool utilizing standard java classes available in your IDM environment. Example has been tested in NetIQ Identity Manager 4.0.2.

Please note that today AES with 128-bit key is considered to be safe to use in securing your data but transfers across insecure networks should also include encryption on a connection level.

Also note that standard java libraries will give you maximum of 128-bit keys but you can upgrade to 256-bits by installing Java Cryptography Extensions.

Following is the implementation.

Common functions



First we add the common functions needed both in encrypting and decrypting. Do the following:

  • In your Designer create a new ecmascript object in your driver set library

  • Insert following common functions to the ecmascript editor for the newly created object (see explanation below):




function generateKey(keyValue, ALGO) {
var key = new Packages.javax.crypto.spec.SecretKeySpec(keyValue, ALGO);
return key;
}

function makeBytes(keyValue) {
var bytes = [];
for (var i = 0; i < keyValue.length; i) {
bytes.push(keyValue.charCodeAt(i));
}
return(bytes);
}


Explanations for the functions:

  • Function generateKey will create a valid key object from the array of bytes and algorithm it is given. This would be AES for us now.

  • Function makeBytes creates a byte array for the encryption process from the key string we use.



Encrypt



Now we are using the functions provided above and we can insert following code to the Ecmascript editor:


function encrypt(Data, keyValue) {
var keyValue = makeBytes(keyValue);
var ALGO = "AES";
var key = generateKey(keyValue,ALGO);
var c = new Packages.javax.crypto.Cipher.getInstance(ALGO);
c.init(Packages.javax.crypto.Cipher.ENCRYPT_MODE, key);
var encVal = c.doFinal(makeBytes(Data));
var encryptedValue = new Packages.sun.misc.BASE64Encoder().encode(encVal);
return encryptedValue;
}


Explanations for the operations above:

  • Form a key array of bytes from the given key string

  • Define the algorithm

  • Generate a key based on byte array and algorithm

  • Initialize the engine encrypt mode

  • Encode the result with Base64 and return the value



Decrypt



Again using the common functions we are ready to insert the decrypt code to the Ecmascript editor:


function decrypt(encryptedData, keyValue) {
var keyValue = makeBytes(keyValue);
var ALGO = "AES";
var key = generateKey(keyValue,ALGO);
var c = new Packages.javax.crypto.Cipher.getInstance(ALGO);
c.init(Packages.javax.crypto.Cipher.DECRYPT_MODE, key);
var decodedValue = new Packages.sun.misc.BASE64Decoder().decodeBuffer(encryptedData);
var decValue = c.doFinal(decodedValue);
var decryptedValue = new java.lang.String(decValue);
return decryptedValue;
}


Explanations for the operations above:

  • Form a key array of bytes from the given key string

  • Define the algorithm

  • Generate a key based on byte array and algorithm

  • Initialize the engine with decrypt mode

  • Decode the encrypted string data

  • Use java String to do a very simple conversion from byte array to string

  • Return the decrypted value



Usage



Now all we need is to deploy and start using our brand new bulletproof crypting! Do the following:

  • Deploy the ecmascript library

  • Store your key in Named password of your driver set or driver. There might be better ways to hide it but this is by far the simplest and does not expose it to the naked eye.

  • Remember to secure the key on the other end aswell. Do not leave it as a string in the middle of script code

  • Create / modify an rule to use the functions above. Use xpath expressions encrypt(string,key) to retrieve encrypted value and decrypt(string,key) to retrieve the cleartext value

  • Use hidden / encrypted / temporary attributes to increase security

  • Disable tracing for relevant actions



Example use in policy:


<do-set-local-variable notrace="true" name="encrypted_string">
<arg-string>
<token-xpath expression="myNameSpace:retrieveMyEncryptedString()"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="mykey" notrace="true" scope="policy">
<arg-string>
<token-named-password name="mySecretKey"/>
</arg-string>
</do-set-local-variable>
<do-set-src-password class-name="User" notrace="true">
<arg-string>
<token-xpath expression="es:decrypt($encrypted_string, $mykey)"/>
</arg-string>
</do-set-src-password>


That's it! I hope you find this article useful and wouldn't mind if you drop me a note about your thoughts on this.

Labels:

How To-Best Practice
Comment List
Parents Comment Children
No Data
Related
Recommended