Manual Chapter : Encrypting Data on the Application Level

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 15.1.0
Manual Chapter

Encrypting Data on the Application Level

Overview: Encrypting Data on the Application Level

Application Layer Encryption protects against credential theft from man-in-the-middle (MITM) and MITM browser attacks, verifies whether a user is trying to use a fabricated password, validates the client-side password, and encrypts credentials in real-time upon submission.
BIG-IP DataSafe
allows you to configure data encryption on the application level, so that sensitive data entered by a user on the client-side is protected against attempted fraud attacks that occur in the web application.

Encrypting data as it leaves the web browser

Encrypt data as it leaves the web browser if you want to protect data that was entered by the user as it leaves the web browser.
  1. On the Main tab, click
    Security
    Data Protection
    BIG-IP DataSafe
    .
    The BIG-IP DataSafe screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click
    URL List
    .
    The URL List opens.
  4. Select the URL (or view) on which you want to encrypt data.
    The URL Properties (or View Properties) screen appears.
  5. In the URL Configuration (or View Configuration) area, select
    Application Layer Encryption
    .
    The Application Layer Encryption settings are displayed.
  6. Ensure that the
    Enabled
    check box for
    Application Layer Encryption
    is selected.
  7. If you want to use a custom encryption algorithm on parameters (instead of the BIG-IP default encryption function), click
    Customize
    and in the
    Custom Encryption Function
    field, type your custom encryption function.
    If you use a custom encryption function, you can not enable
    Real-Time Encryption
    on this URL or view. Real-Time Encryption encrypts passwords as the user types them.
    The custom encryption function encrypts all URL parameters where
    Encrypt
    is disabled and
    Substitute Value
    is enabled on the parameter.
  8. In the URL Configuration (or View Configuration) area, select
    Parameters
    .
    The Parameters list is displayed.
  9. Click the
    Add
    button.
    The Parameter Settings screen opens.
  10. In the
    Parameter Name
    field, choose one of the following types for the parameter name:
    • Explicit
      : Assign a specific parameter name.
    • Wildcard
      : Assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression
      *
      specifies that any parameter name is allowed.
    1. If you chose
      Explicit
      , type the parameter name.
    2. If you chose
      Wildcard
      , type the wildcard expression.
      The syntax for wildcard entities is based on shell-style wildcard characters. This following table lists the wildcard characters that you can use so that the entity name matches multiple objects.
      Wildcard character
      Matches
      *
      All characters
      ?
      Any single character
      [abcde]
      Exactly one of the characters listed
      [!abcde]
      Any character not listed
      [a-e]
      Exactly one character in the range
      [!a-e]
      Any character not in the range
      If a wildcard character is actually used as part of a parameter name and you don't want it to be treated as a wildcard character, use
      \
      and then the character to indicate that it should not be used as a wildcard character.
      A regular expression should not be used as part of the wildcard expression for a parameter name.
  11. In the Application Layer Encryption section, select the
    Encrypt
    check box.
  12. If the parameter is for a password field and you want to use substitute values when the user inputs the password, select the
    Substitute Value
    check box.
    • This attribute should be applied only on parameters with the input type
      password
      .
    • If you assign
      Substitute Value
      to a password parameter, the web browser’s auto-complete feature for passwords does not work on this parameter.
    If you want a custom encryption function to be applied to this parameter, do not select the check boxes for both
    Encrypt
    and
    Substitute Value
    on the parameter. If you do this, the custom encryption function will not be applied to this parameter.
  13. Click
    Create
    .
    The parameter settings are saved.
  14. Repeat steps 9-13 for every parameter you want the system to encrypt.
  15. Click
    Save
    .
    The URL (or view) configuration settings are saved.
If the form action in the HTTP request from the web page you created above does not refer to the URL of the web page, you need to also configure a URL for decrypted data.

Configuring a URL for decrypting data

You need to configure a separate URL for decrypting data only if the form action in the HTTP request from the client does not refer to the URL from which the request is being sent.
Configure a URL for decrypting data to ensure that your server can read and verify encrypted data that was sent from the client.
  1. On the Main tab, click
    Security
    Data Protection
    BIG-IP DataSafe
    .
    The BIG-IP DataSafe screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click
    URL List
    .
    The URL List opens.
  4. Select the check box next to the URL where the client sends encrypted data.
  5. Click the
    Clone
    button.
    The Clone URL pop-up screen opens.
  6. In the
    URL Path
    field, type the URL that is referred to in the form action of the HTTP request.
  7. Optional: In the
    Description
    field, type a description for the URL.
  8. Ensure that the
    Inject JavaScript
    setting is disabled.
  9. If the URL from which the HTTP request is being sent contains SPA views and you want the URL for decrypting data to inherit those views, select the
    Enabled
    check box by Views.
  10. Select the
    Enabled
    check box by Parameters.
  11. Click the
    Clone
    button in the Clone URL pop-up screen.
    Once the new URL is created, there is no further dependency on the source URL and any future changes made to the source URL are not inherited by the new URL.

Applying Ajax encryption on a URL or view

You can apply Ajax encryption on your web page if the web page sends data using Ajax and you want the data to be encrypted.
  1. On the Main tab, click
    Security
    Data Protection
    BIG-IP DataSafe
    .
    The BIG-IP DataSafe screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click
    URL List
    .
    The URL List opens.
  4. Select the URL or view on which you want to apply Ajax encryption.
    The URL Properties (or View Properties) screen appears.
  5. In the URL Configuration (or View Configuration) area, select
    Application Layer Encryption
    .
    The Application Layer Encryption settings are displayed.
  6. Select the
    Enabled
    check box for
    AJAX Encryption
    .
  7. If your web page uses JSON format for submitting data, do the following for every parameter that you want to have Ajax encryption:
    1. In the URL Configuration (or View Configuration) area, select
      Parameters
      .
    2. Click the
      Add
      button.
      The Parameter Settings screen opens.
    3. In the
      Parameter Name
      field, choose one of the following types for the parameter name:
      • Explicit
        : Assign a specific parameter name.
      • Wildcard
        : Assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression
        *
        specifies that any parameter name is allowed.
    4. In the Application Layer Encryption section, select both the
      Encrypt
      check box and the
      Substitute Value
      check box.
    5. In the
      Name in Request
      text box, type a mapping key for the parameter that is sent from the client to the server.
      For example, if you have a single page application form with an input field
      name
      ,
      ID
      , or
      Selector
      called
      A
      and you want to send it in the
      B
      key in the payload, type
      B
      in this text box.
      If the input field
      name
      ,
      ID
      , or
      Selector
      in the HTML of your web page has the same
      name
      ,
      ID
      , or
      Selector
      as the key in the payload, you do not need to type a mapping key in this text box.
    6. Click
      Create
      .
      The parameter settings are saved and the URL Properties (or View Properties) screen appears.
  8. Click
    Save
    in the URL/View Properties screen.
    The configuration settings for the URL or view are saved.

Configuring HTML field obfuscation

Before configuring HTML field obfuscation,
Application Layer Encryption
must be enabled on the URL or view.
Configure HTML field obfuscation if you want the BIG-IP system to encrypt the
name
attribute of all defined HTML
<input>
fields, and then decrypt them back to the original
name
on the BIG-IP system.
  1. On the Main tab, click
    Security
    Data Protection
    BIG-IP DataSafe
    .
    The BIG-IP DataSafe screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click
    URL List
    .
    The URL List opens.
  4. Select the URL on which you want to configure HTML field obfuscation.
    The URL Properties screen appears.
  5. In the URL Configuration (or View Configuration) area, select
    Application Layer Encryption
    .
    The Application Layer Encryption settings are displayed.
  6. Select the
    Enabled
    check box for the
    HTML Field Obfuscation
    setting.
    The
    Add Decoy Inputs
    field is displayed.
  7. Select the
    Enabled
    check box for the
    Add Decoy Inputs
    setting if you want the system to randomly, and continuously, generate and remove decoy
    <input>
    fields that are added to the web page.
    Enabling
    Add Decoy Inputs
    makes it harder for an attacker to identify sensitive information with either JavaScript or a proxy.
  8. Click
    Advanced
    and select the
    Enabled
    check box for the
    Remove Element IDs
    setting if you want the system to remove the ID attribute from URL parameters that have the
    Obfuscate
    property.
  9. In the URL Configuration (or View Configuration) area, select
    Parameters
    .
    The Parameters list is displayed.
  10. Click the
    Add
    button.
    The Parameter Settings screen opens.
  11. In the
    Parameter Name
    field, choose one of the following types for the parameter name:
    • Explicit
      : Assign a specific parameter name.
    • Wildcard
      : Assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression
      *
      specifies that any parameter name is allowed.
  12. In the Application Layer Encryption section, select the
    Obfuscate
    check box.
  13. Click
    Create
    .
    The parameter settings are saved and the URL Properties (or View Properties) screen appears.
  14. Repeat steps 10-13 for every parameter you want the system to obfuscate.
  15. Click
    Save
    in the URL/View Properties screen.
    The configuration settings for the URL or view are saved.

Removing JavaScript event listeners from parameters

Before you can remove JavaScript event listeners from parameters, Application Layer Encryption must be enabled on the URL or view.
You can remove JavaScript event listeners from parameters to protect sensitive data in parameters from being obtained by potential attackers.
Some web applications add non-malicious event listeners that improve functionality. If you choose to activate removal of event listeners on parameters, this will remove all event listeners, including non-malicious ones added by the web application. Take this into account before deciding to activate removal of event listeners.
  1. On the Main tab, click
    Security
    Data Protection
    BIG-IP DataSafe
    .
    The BIG-IP DataSafe screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click
    URL List
    .
    The URL List opens.
  4. Select the URL or view on which you want to remove JavaScript event listeners.
    The URL Properties (or View Properties) screen opens.
  5. In the URL Configuration (or View Configuration) area, select
    Application Layer Encryption
    .
    The Application Layer Encryption settings are displayed.
  6. Click
    Advanced
    and select the
    Enabled
    check box for the
    Remove Event Listeners
    setting.
  7. In the URL Configuration (or View Configuration) area, select
    Parameters
    .
    The Parameters list is displayed.
  8. Click the
    Add
    button.
    The Parameter Settings screen opens.
  9. In the
    Parameter Name
    field, choose one of the following types for the parameter name:
    • Explicit
      : Assign a specific parameter name.
    • Wildcard
      : Assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression
      *
      specifies that any parameter name is allowed.
  10. In the Application Layer Encryption section, select the
    Obfuscate
    check box or the
    Substitute Value
    check box.
    If you assign the
    Substitute Value
    attribute to a password parameter, the web browser’s auto-complete feature for passwords does not work on this parameter.
  11. Click
    Create
    .
    The parameter settings are saved and the URL Properties (or View Properties) screen appears.
  12. Repeat steps 8-11 for every parameter on which you want to remove JavaScript event listeners.
  13. Click
    Save
    in the URL/View Properties screen.
    The configuration settings for the URL or view are saved.

Configuring advanced encryption on a URL or view

Before configuring advanced encryption on a URL or view,
Application Layer Encryption
must be enabled on the URL or view.
Configure advanced encryption on a URL or view if you want to apply
BIG-IP DataSafe
advanced encryption methods on your web page.
  1. On the Main tab, click
    Security
    Data Protection
    BIG-IP DataSafe
    .
    The BIG-IP DataSafe screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click
    URL List
    .
    The URL List opens.
  4. Select the URL or view on which you want to apply advanced encryption methods.
    The URL Properties (or View Properties) screen appears.
  5. In the URL Configuration (or View Configuration) area, select
    Application Layer Encryption
    .
    The Application Layer Encryption settings are displayed.
  6. Select the
    Enabled
    check box for the
    Identify Stolen Credentials
    setting.
    When this setting is enabled, the system examines whether the user is trying to use a password that was stolen from a parameter where
    Substitute Value
    is enabled.
  7. Select the
    Enabled
    check box for the
    Keylogger Protection
    setting.
    When this setting is enabled, the system protects against in-browser key loggers.
  8. If you do not want to use the default
    BIG-IP DataSafe
    JavaScript function for assigning substitute values for HTML password input fields and prefer to use your own JavaScript function, click
    Customize
    and in the
    JavaScript Function for Substitute Values
    field, type your JavaScript function.
    The JavaScript function you type here must return substitute values for all passwords input field parameters where
    Substitute Value
    is enabled on the parameter. If you leave this field blank, the default
    BIG-IP DataSafe
    JavaScript function is used.
  9. Click
    Advanced
    and select the
    Enabled
    check box for the
    Real-Time Encryption
    setting.
    Real-Time Encryption encrypts input field parameters as the user types them.
    • The
      Real-Time Encryption
      setting does not appear if you don't have at least one parameter with the
      Encrypt
      attribute.
    • Real-Time Encryption cannot be enabled if you are also using a custom encryption function on the URL or view.
  10. Select the
    Enabled
    check box for the
    Hide Password Revealer Icon
    setting.
    When this setting is enabled, the system hides the password revealer icon on a web page, for browsers that use a password revealer icon (for example, Internet Explorer versions 10 and later).
    If you are using
    JavaScript Function for Substitute Values
    or
    Custom Encryption Function
    , you must enable
    Hide Password Revealer Icon
    . Otherwise, the user will see the actual substitute value if the user clicks the Password Revealer icon in the browser.
  11. Select the
    Enabled
    check box for the
    Prevent Password Auto-Complete
    setting.
    When this setting is enabled, the system prevents the web browser's auto-complete functionality when an end-user enters data in the web browser.
    • When
      Prevent Password Auto-Complete
      is enabled,
      Password Validation Functions
      appears. In the
      Password Validation Functions
      text box, add global functions that need to read the value of password parameters with
      Substitute Value
      enabled.
  12. Click
    Save
    in the URL/View Properties screen.
    The configuration settings for the URL or view are saved.

Allowing logins after encryption failure

Allow end-user login after an encryption failure if you want to permit end-users to login to your system with Application Layer Encryption disabled after the BIG-IP system fails to decrypt an encrypted parameter.
  1. On the Main tab, click
    Security
    Data Protection
    DataSafe Profiles
    .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The
    DataSafe
    Profile Properties screen opens.
  3. In the
    DataSafe
    Configuration area, select
    Advanced
    and then
    Application Layer Encryption
    .
  4. Select the
    Enabled
    check box for
    Allow Login on Encryption Failure
    .
  5. Click
    Save
    .
    The profile is updated with the changes you made.