Manual Chapter :
Encrypting Data on the Application
Level
Applies To:
Show VersionsBIG-IP ASM
- 15.1.0
Encrypting Data on the Application
Level
Overview: Encrypting Data on the Application Level
Application Layer Encryption protects against credential theft from
man-in-the-middle (MITM) and MITM browser attacks, verifies whether a user is trying to use a
fabricated password, validates the client-side password, and encrypts credentials in real-time
upon submission.
BIG-IP DataSafe
allows you to configure data
encryption on the application level, so that sensitive data entered by a user on the
client-side is protected against attempted fraud attacks that occur in the web
application.Encrypting data as it leaves the web browser
Encrypt data as it leaves the web
browser if you want to protect data that was entered by the user as it leaves the web
browser.
- On the Main tab, click.The BIG-IP DataSafe screen opens.
- From the list of profiles, select the relevant profile.The DataSafe Profile Properties screen opens.
- In the DataSafe Configuration area, clickURL List.The URL List opens.
- Select the URL (or view) on which you want to encrypt data.The URL Properties (or View Properties) screen appears.
- In the URL Configuration (or View Configuration) area, selectApplication Layer Encryption.The Application Layer Encryption settings are displayed.
- Ensure that theEnabledcheck box forApplication Layer Encryptionis selected.
- If you want to use a custom encryption algorithm on parameters (instead of the BIG-IP default encryption function), clickCustomizeand in theCustom Encryption Functionfield, type your custom encryption function.If you use a custom encryption function, you can not enableReal-Time Encryptionon this URL or view. Real-Time Encryption encrypts passwords as the user types them.The custom encryption function encrypts all URL parameters whereEncryptis disabled andSubstitute Valueis enabled on the parameter.
- In the URL Configuration (or View Configuration) area, selectParameters.The Parameters list is displayed.
- Click theAddbutton.The Parameter Settings screen opens.
- In theParameter Namefield, choose one of the following types for the parameter name:
- Explicit: Assign a specific parameter name.
- Wildcard: Assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression*specifies that any parameter name is allowed.
- If you choseExplicit, type the parameter name.
- If you choseWildcard, type the wildcard expression.The syntax for wildcard entities is based on shell-style wildcard characters. This following table lists the wildcard characters that you can use so that the entity name matches multiple objects.Wildcard characterMatches*All characters?Any single character[abcde]Exactly one of the characters listed[!abcde]Any character not listed[a-e]Exactly one character in the range[!a-e]Any character not in the rangeIf a wildcard character is actually used as part of a parameter name and you don't want it to be treated as a wildcard character, use\and then the character to indicate that it should not be used as a wildcard character.A regular expression should not be used as part of the wildcard expression for a parameter name.
- In the Application Layer Encryption section, select theEncryptcheck box.
- If the parameter is for a password field and you want to use substitute values when the user inputs the password, select theSubstitute Valuecheck box.
- This attribute should be applied only on parameters with the input typepassword.
- If you assignSubstitute Valueto a password parameter, the web browser’s auto-complete feature for passwords does not work on this parameter.
If you want a custom encryption function to be applied to this parameter, do not select the check boxes for bothEncryptandSubstitute Valueon the parameter. If you do this, the custom encryption function will not be applied to this parameter. - ClickCreate.The parameter settings are saved.
- Repeat steps 9-13 for every parameter you want the system to encrypt.
- ClickSave.The URL (or view) configuration settings are saved.
If the form action in the HTTP request from the
web page you created above does not refer to the URL of the web page, you need to also
configure a URL for decrypted data.
Configuring a URL
for decrypting data
You need to configure a separate URL for decrypting data only if the form action in the
HTTP request from the client does not refer to the URL from which the request is being
sent.
Configure a URL for decrypting data to ensure that
your server can read and verify encrypted data that was sent from the client.
- On the Main tab, click.The BIG-IP DataSafe screen opens.
- From the list of profiles, select the relevant profile.The DataSafe Profile Properties screen opens.
- In the DataSafe Configuration area, clickURL List.The URL List opens.
- Select the check box next to the URL where the client sends encrypted data.
- Click theClonebutton.The Clone URL pop-up screen opens.
- In theURL Pathfield, type the URL that is referred to in the form action of the HTTP request.
- Optional: In theDescriptionfield, type a description for the URL.
- Ensure that theInject JavaScriptsetting is disabled.
- If the URL from which the HTTP request is being sent contains SPA views and you want the URL for decrypting data to inherit those views, select theEnabledcheck box by Views.
- Select theEnabledcheck box by Parameters.
- Click theClonebutton in the Clone URL pop-up screen.Once the new URL is created, there is no further dependency on the source URL and any future changes made to the source URL are not inherited by the new URL.
Applying Ajax
encryption on a URL or view
You can apply Ajax encryption on your web page if
the web page sends data using Ajax and you want the data to be encrypted.
- On the Main tab, click.The BIG-IP DataSafe screen opens.
- From the list of profiles, select the relevant profile.The DataSafe Profile Properties screen opens.
- In the DataSafe Configuration area, clickURL List.The URL List opens.
- Select the URL or view on which you want to apply Ajax encryption.The URL Properties (or View Properties) screen appears.
- In the URL Configuration (or View Configuration) area, selectApplication Layer Encryption.The Application Layer Encryption settings are displayed.
- Select theEnabledcheck box forAJAX Encryption.
- If your web page uses JSON format for submitting data, do the following for every parameter that you want to have Ajax encryption:
- In the URL Configuration (or View Configuration) area, selectParameters.
- Click theAddbutton.The Parameter Settings screen opens.
- In theParameter Namefield, choose one of the following types for the parameter name:
- Explicit: Assign a specific parameter name.
- Wildcard: Assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression*specifies that any parameter name is allowed.
- In the Application Layer Encryption section, select both theEncryptcheck box and theSubstitute Valuecheck box.
- In theName in Requesttext box, type a mapping key for the parameter that is sent from the client to the server.For example, if you have a single page application form with an input fieldname,ID, orSelectorcalledAand you want to send it in theBkey in the payload, typeBin this text box.If the input fieldname,ID, orSelectorin the HTML of your web page has the samename,ID, orSelectoras the key in the payload, you do not need to type a mapping key in this text box.
- ClickCreate.The parameter settings are saved and the URL Properties (or View Properties) screen appears.
- ClickSavein the URL/View Properties screen.The configuration settings for the URL or view are saved.
Configuring HTML field obfuscation
Before configuring HTML field obfuscation,
Application Layer Encryption
must be
enabled on the URL or view.Configure HTML field obfuscation if you want the BIG-IP
system to encrypt the
name
attribute of all defined HTML
<input>
fields, and then decrypt them back to the original
name
on the BIG-IP system.- On the Main tab, click.The BIG-IP DataSafe screen opens.
- From the list of profiles, select the relevant profile.The DataSafe Profile Properties screen opens.
- In the DataSafe Configuration area, clickURL List.The URL List opens.
- Select the URL on which you want to configure HTML field obfuscation.The URL Properties screen appears.
- In the URL Configuration (or View Configuration) area, selectApplication Layer Encryption.The Application Layer Encryption settings are displayed.
- Select theEnabledcheck box for theHTML Field Obfuscationsetting.TheAdd Decoy Inputsfield is displayed.
- Select theEnabledcheck box for theAdd Decoy Inputssetting if you want the system to randomly, and continuously, generate and remove decoy<input>fields that are added to the web page.EnablingAdd Decoy Inputsmakes it harder for an attacker to identify sensitive information with either JavaScript or a proxy.
- ClickAdvancedand select theEnabledcheck box for theRemove Element IDssetting if you want the system to remove the ID attribute from URL parameters that have theObfuscateproperty.
- In the URL Configuration (or View Configuration) area, selectParameters.The Parameters list is displayed.
- Click theAddbutton.The Parameter Settings screen opens.
- In theParameter Namefield, choose one of the following types for the parameter name:
- Explicit: Assign a specific parameter name.
- Wildcard: Assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression*specifies that any parameter name is allowed.
- In the Application Layer Encryption section, select theObfuscatecheck box.
- ClickCreate.The parameter settings are saved and the URL Properties (or View Properties) screen appears.
- Repeat steps 10-13 for every parameter you want the system to obfuscate.
- ClickSavein the URL/View Properties screen.The configuration settings for the URL or view are saved.
Removing JavaScript event listeners from parameters
Before you can remove JavaScript event listeners from parameters, Application Layer
Encryption must be enabled on the URL or view.
You can remove JavaScript event listeners from
parameters to protect sensitive data in parameters from being obtained by potential
attackers.
Some web applications add non-malicious event listeners that improve functionality.
If you choose to activate removal of event listeners on parameters, this will remove
all event listeners, including non-malicious ones added by the web application. Take
this into account before deciding to activate removal of event
listeners.
- On the Main tab, click.The BIG-IP DataSafe screen opens.
- From the list of profiles, select the relevant profile.The DataSafe Profile Properties screen opens.
- In the DataSafe Configuration area, clickURL List.The URL List opens.
- Select the URL or view on which you want to remove JavaScript event listeners.The URL Properties (or View Properties) screen opens.
- In the URL Configuration (or View Configuration) area, selectApplication Layer Encryption.The Application Layer Encryption settings are displayed.
- ClickAdvancedand select theEnabledcheck box for theRemove Event Listenerssetting.
- In the URL Configuration (or View Configuration) area, selectParameters.The Parameters list is displayed.
- Click theAddbutton.The Parameter Settings screen opens.
- In theParameter Namefield, choose one of the following types for the parameter name:
- Explicit: Assign a specific parameter name.
- Wildcard: Assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression*specifies that any parameter name is allowed.
- In the Application Layer Encryption section, select theObfuscatecheck box or theSubstitute Valuecheck box.If you assign theSubstitute Valueattribute to a password parameter, the web browser’s auto-complete feature for passwords does not work on this parameter.
- ClickCreate.The parameter settings are saved and the URL Properties (or View Properties) screen appears.
- Repeat steps 8-11 for every parameter on which you want to remove JavaScript event listeners.
- ClickSavein the URL/View Properties screen.The configuration settings for the URL or view are saved.
Configuring
advanced encryption on a URL or view
Before configuring advanced encryption on a URL or view,
Application Layer Encryption
must be
enabled on the URL or view.Configure advanced encryption on a URL or view if
you want to apply
BIG-IP
DataSafe™
advanced encryption methods
on your web page.- On the Main tab, click.The BIG-IP DataSafe screen opens.
- From the list of profiles, select the relevant profile.The DataSafe Profile Properties screen opens.
- In the DataSafe Configuration area, clickURL List.The URL List opens.
- Select the URL or view on which you want to apply advanced encryption methods.The URL Properties (or View Properties) screen appears.
- In the URL Configuration (or View Configuration) area, selectApplication Layer Encryption.The Application Layer Encryption settings are displayed.
- Select theEnabledcheck box for theIdentify Stolen Credentialssetting.When this setting is enabled, the system examines whether the user is trying to use a password that was stolen from a parameter whereSubstitute Valueis enabled.
- Select theEnabledcheck box for theKeylogger Protectionsetting.When this setting is enabled, the system protects against in-browser key loggers.
- If you do not want to use the defaultBIG-IP DataSafeJavaScript function for assigning substitute values for HTML password input fields and prefer to use your own JavaScript function, clickCustomizeand in theJavaScript Function for Substitute Valuesfield, type your JavaScript function.The JavaScript function you type here must return substitute values for all passwords input field parameters whereSubstitute Valueis enabled on the parameter. If you leave this field blank, the defaultBIG-IP DataSafeJavaScript function is used.
- ClickAdvancedand select theEnabledcheck box for theReal-Time Encryptionsetting.Real-Time Encryption encrypts input field parameters as the user types them.
- TheReal-Time Encryptionsetting does not appear if you don't have at least one parameter with theEncryptattribute.
- Real-Time Encryption cannot be enabled if you are also using a custom encryption function on the URL or view.
- Select theEnabledcheck box for theHide Password Revealer Iconsetting.When this setting is enabled, the system hides the password revealer icon on a web page, for browsers that use a password revealer icon (for example, Internet Explorer versions 10 and later).If you are usingJavaScript Function for Substitute ValuesorCustom Encryption Function, you must enableHide Password Revealer Icon. Otherwise, the user will see the actual substitute value if the user clicks the Password Revealer icon in the browser.
- Select theEnabledcheck box for thePrevent Password Auto-Completesetting.When this setting is enabled, the system prevents the web browser's auto-complete functionality when an end-user enters data in the web browser.
- WhenPrevent Password Auto-Completeis enabled,Password Validation Functionsappears. In thePassword Validation Functionstext box, add global functions that need to read the value of password parameters withSubstitute Valueenabled.
- ClickSavein the URL/View Properties screen.The configuration settings for the URL or view are saved.
Allowing logins after encryption failure
Allow end-user login after an encryption failure if
you want to permit end-users to login to your system with Application Layer Encryption
disabled after the BIG-IP system fails to decrypt an encrypted parameter.
- On the Main tab, click.The DataSafe Profiles screen opens.
- From the list of profiles, select the relevant profile.TheDataSafeProfile Properties screen opens.
- In theDataSafeConfiguration area, selectAdvancedand thenApplication Layer Encryption.
- Select theEnabledcheck box forAllow Login on Encryption Failure.
- ClickSave.The profile is updated with the changes you made.