Manual Chapter : Encrypting Data on the Application Level

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 14.1.0
Manual Chapter

Encrypting Data on the Application Level

Overview: Encrypting Data on the Application Level

Application Layer Encryption protects against credential theft from man-in-the-middle (MITM) and MITM browser attacks, verifies whether a user is trying to use a fabricated password, validates the client-side password, and encrypts credentials in real-time upon submission. BIG-IP DataSafe allows you to configure data encryption on the application level, so that sensitive data entered by a user on the client-side is protected against attempted fraud attacks that occur in the web application.

Encrypting data as it leaves the web browser

Encrypt data as it leaves the web browser if you want to protect data that was entered by the user as it leaves the web browser.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click URL List.
    The URL List opens.
  4. Select the URL (or view) on which you want to encrypt data.
    The URL Properties (or View Properties) screen appears.
  5. In the URL Configuration (or View Configuration) area, select Application Layer Encryption.
    The Application Layer Encryption settings are displayed.
  6. Ensure that the Enabled check box for Application Layer Encryption is selected.
  7. If you want to use a custom encryption algorithm on parameters (instead of the BIG-IP® default encryption function), in the Custom Encryption Function field, type your custom encryption function.
    Note: If you use a custom encryption function, you can not enable Real-Time Encryption on this URL or view. Real-Time Encryption encrypts passwords as the user types them.
    The custom encryption function encrypts all URL parameters where Encrypt is disabled and Substitute Value is enabled on the parameter.
  8. In the URL Configuration (or View Configuration) area, select Parameters.
  9. Click the Add button.
    The Parameter Settings screen opens.
  10. In the Parameter Name field, choose one of the following types for the parameter name:
    • Explicit: Assign a specific parameter name.
    • Wildcard: Assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression * specifies that any parameter name is allowed.
    1. If you chose Explicit, type the parameter name.
    2. If you chose Wildcard, type the wildcard expression.
      The syntax for wildcard entities is based on shell-style wildcard characters. This following table lists the wildcard characters that you can use so that the entity name matches multiple objects.
      Wildcard character Matches
      * All characters
      ? Any single character
      [abcde] Exactly one of the characters listed
      [!abcde] Any character not listed
      [a-e] Exactly one character in the range
      [!a-e] Any character not in the range

      If a wildcard character is actually used as part of a parameter name and you don't want it to be treated as a wildcard character, use \ and then the character to indicate that it should not be used as a wildcard character.

      Note: A regular expression should not be used as part of the wildcard expression for a parameter name.
  11. In the Application Layer Encryption section, select the Encrypt check box.
  12. If the parameter is for a password field and you want to use substitute values when the user inputs the password, select the Substitute Value check box.
    Note:
    • This attribute should be applied only on parameters with the input type password.
    • If you assign Substitute Value to a password parameter, the web browser’s auto-complete feature for passwords does not work on this parameter.
    Important: If you want a custom encryption function to be applied to this parameter, do not select the check boxes for both Encrypt and Substitute Value on the parameter. If you do this, the custom encryption function will not be applied to this parameter.
  13. Click Create.
    The parameter settings are saved.
  14. Repeat steps 9-13 for every parameter you want the system to encrypt.
  15. Click Save.
    The URL (or view) configuration settings are saved.
If the form action in the HTTP request from the web page you created above does not refer to the URL of the web page, you need to also configure a URL for decrypted data.

Configuring a URL for decrypting data

You need to configure a separate URL for decrypting data only if the form action in the HTTP request from the client does not refer to the URL from which the request is being sent.
Configure a URL for decrypting data to ensure that your server can read and verify encrypted data that was sent from the client.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click URL List.
    The URL List opens.
  4. Select the check box next to the URL where the client sends encrypted data.
  5. Click the Clone button.
    The Clone URL pop-up screen opens.
  6. In the URL Path field, type the URL that is referred to in the form action of the HTTP request.
  7. Optional: In the Description field, type a description for the URL.
  8. Ensure that the Inject JavaScript setting is disabled.
  9. If the URL from which the HTTP request is being sent contains SPA views and you want the URL for decrypting data to inherit those views, select the Enabled check box by Views.
  10. Select the Enabled check box by Parameters.
  11. Click the Clone button in the Clone URL pop-up screen.
    Note: Once the new URL is created, there is no further dependency on the source URL and any future changes made to the source URL are not inherited by the new URL.

Applying Ajax encryption on a URL or view

You can apply Ajax encryption on your web page if the web page sends data using Ajax and you want the data to be encrypted.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click URL List.
    The URL List opens.
  4. Select the URL or view on which you want to apply Ajax encryption.
    The URL Properties (or View Properties) screen appears.
  5. In the URL Configuration (or View Configuration) area, select Application Layer Encryption.
    The Application Layer Encryption settings are displayed.
  6. Select the Enabled check box for AJAX Encryption.
  7. If your web page uses JSON format for submitting data, do the following for every parameter that you want to have Ajax encryption:
    1. In the URL Configuration (or View Configuration) area, select Parameters.
    2. Click the Add button.
      The Parameter Settings screen opens.
    3. In the Parameter Name field, choose one of the following types for the parameter name:
      • Explicit: Assign a specific parameter name.
      • Wildcard: Assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression * specifies that any parameter name is allowed.
    4. In the Application Layer Encryption section, select both the Encrypt check box and the Substitute Value check box.
    5. In the AJAX Mapping text box, type a mapping key for the parameter that is sent from the client to the server.
      For example, if you have a single page application form with an input field name or ID called A and you want to send it in the B key in the JSON file, type B in this text box.
      Note: If the input field name or ID in the HTML of your web page has the same name or ID as the key of the JSON file, you do not need to type a mapping key in this text box.
    6. Click Create.
      The parameter settings are saved and the URL Properties (or View Properties) screen appears.
  8. Click Save in the URL/View Properties screen.
    The configuration settings for the URL or view are saved.

Configuring HTML field obfuscation

Before configuring HTML field obfuscation, Application Layer Encryption must be enabled on the URL or view.
Configure HTML field obfuscation if you want the BIG-IP® system to encrypt the name attribute of all defined HTML <input> fields, and then decrypt them back to the original name on the BIG-IP system.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click URL List.
    The URL List opens.
  4. Select the URL on which you want to configure HTML field obfuscation.
    The URL Properties screen appears.
  5. In the URL Configuration (or View Configuration) area, select Application Layer Encryption.
    The Application Layer Encryption settings are displayed.
  6. Select the Enabled check box for the HTML Field Obfuscation setting.
    The Add Decoy Inputs and Remove Element IDs fields are displayed.
  7. Select the Enabled check box for the Add Decoy Inputs setting if you want the system to randomly, and continuously, generate and remove decoy <input> fields that are added to the web page.
    Enabling Add Decoy Inputs makes it harder for an attacker to identify sensitive information with either JavaScript or a proxy.
  8. Select the Enabled check box for the Remove Element IDs setting if you want the system to remove the ID attribute from URL parameters that have the Obfuscate property.
  9. In the URL Configuration (or View Configuration) area, select Parameters.
  10. Click the Add button.
    The Parameter Settings screen opens.
  11. In the Parameter Name field, choose one of the following types for the parameter name:
    • Explicit: Assign a specific parameter name.
    • Wildcard: Assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression * specifies that any parameter name is allowed.
  12. In the Application Layer Encryption section, select the Obfuscate check box.
  13. Click Create.
    The parameter settings are saved and the URL Properties (or View Properties) screen appears.
  14. Repeat steps 10-13 for every parameter you want the system to obfuscate.
  15. Click Save in the URL/View Properties screen.
    The configuration settings for the URL or view are saved.

Removing JavaScript event listeners from parameters

Before you can remove JavaScript event listeners from parameters, Application Layer Encryption must be enabled on the URL or view.
You can remove JavaScript event listeners from parameters to protect sensitive data in parameters from being obtained by potential attackers.
Note: Some web applications add non-malicious event listeners that improve functionality. If you choose to activate removal of event listeners on parameters, this will remove all event listeners, including non-malicious ones added by the web application. Take this into account before deciding to activate removal of event listeners.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click URL List.
    The URL List opens.
  4. Select the URL or view on which you want to remove JavaScript event listeners.
    The URL Properties (or View Properties) screen opens.
  5. In the URL Configuration (or View Configuration) area, select Application Layer Encryption.
    The Application Layer Encryption settings are displayed.
  6. Select the Enabled check box for the Remove Event Listeners setting.
  7. In the URL Configuration (or View Configuration) area, select Parameters.
  8. Click the Add button.
    The Parameter Settings screen opens.
  9. In the Parameter Name field, choose one of the following types for the parameter name:
    • Explicit: Assign a specific parameter name.
    • Wildcard: Assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression * specifies that any parameter name is allowed.
  10. In the Application Layer Encryption section, select the Obfuscate check box or the Substitute Value check box.
    Note: If you assign the Substitute Value attribute to a password parameter, the web browser’s auto-complete feature for passwords does not work on this parameter.
  11. Click Create.
    The parameter settings are saved and the URL Properties (or View Properties) screen appears.
  12. Repeat steps 8-11 for every parameter on which you want to remove JavaScript event listeners.
  13. Click Save in the URL/View Properties screen.
    The configuration settings for the URL or view are saved.

Configuring advanced encryption on a URL or view

Before configuring advanced encryption on a URL or view, Application Layer Encryption must be enabled on the URL or view.
Configure advanced encryption on a URL or view if you want to apply BIG-IP® DataSafe™ advanced encryption methods on your web page.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click URL List.
    The URL List opens.
  4. Select the URL or view on which you want to apply advanced encryption methods.
    The URL Properties (or View Properties) screen appears.
  5. In the URL Configuration (or View Configuration) area, select Application Layer Encryption.
    The Application Layer Encryption settings are displayed.
  6. Select the Enabled check box for the Identify Stolen Credentials setting.
    When this setting is enabled, the system examines whether the user is trying to use a password that was stolen from a parameter where Substitute Value is enabled.
  7. Select the Enabled check box for the Hide Password Revealer Icon setting.
    When this setting is enabled, the system hides the password revealer icon on a web page, for browsers that use a password revealer icon (for example, Internet Explorer versions 10 and later).
    Note: If you are using JavaScript Function for Substitute Values or Custom Encryption Function, you must enable Hide Password Revealer Icon. Otherwise, the user will see the actual substitute value if the user clicks the Password Revealer icon in the browser.
  8. Select the Enabled check box for the Keylogger Protection setting.
    When this setting is enabled, the system protects against in-browser key loggers.
  9. Select the Enabled check box for the Real-Time Encryption setting.
    Real-Time Encryption encrypts input field parameters as the user types them.
    Note:
    • The Real-Time Encryption setting does not appear if you don't have at least one parameter with the Encrypt attribute.
    • Real-Time Encryption cannot be enabled if you are also using a custom encryption function on the URL or view.
  10. Select the Enabled check box for the Prevent Password Auto-Complete setting.
    When this setting is enabled, the system prevents the web browser's auto-complete functionality when an end-user enters data in the web browser.
    • When Prevent Password Auto-Complete is enabled, Password Validation Functions appears. In the Password Validation Functions text box, add global functions that need to read the value of password parameters with Substitute Value enabled.

  11. If you do not want to use the default BIG-IP DataSafe JavaScript function for assigning substitute values for HTML password input fields and prefer to use your own JavaScript function, in the JavaScript Function for Substitute Values field, type your JavaScript function.
    The JavaScript function you type here must return substitute values for all passwords input field parameters where Substitute Value is enabled on the parameter. If you leave this field blank, the default BIG-IP DataSafe JavaScript function is used.
  12. Click Save in the URL/View Properties screen.
    The configuration settings for the URL or view are saved.

Allowing logins after encryption failure

Allow end-user login after an encryption failure if you want to permit end-users to login to your system with Application Layer Encryption disabled after the BIG-IP system fails to decrypt an encrypted parameter.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, select Advanced and then Application Layer Encryption.
  4. Select the Enabled check box for Allow Login on Encryption Failure.
  5. Click Save.
    The profile is updated with the changes you made.