Manual Chapter : Encrypting Data on the Application Level

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Overview: Encrypting Data on the Application Level

Application Layer Encryption verifies whether the user was trying to use a fabricated password, validates the client-side password, encrypts credentials in real-time upon submission, and protects against in-browser key loggers by generating fake keyboard events. DataSafe™ allows you to configure data encryption on the application level, so that sensitive data entered (input) by a user on the client-side is protected against attempted fraud attacks that occur in the web application.

Task Summary

Encrypting data as it leaves the web browser

Encrypt data as it leaves the web browser if you want to protect data that was entered by the user as it leaves the web browser.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click URL List.
    The URL List opens.
  4. Select the URL on which you want to encrypt data.
    The URL Properties screen appears.
  5. In URL Configuration area, select Application Layer Encryption.
    The Application Layer Encryption settings are displayed.
  6. Ensure that the Enabled check box for Application Layer Encryption is selected.
  7. If you want to use a custom encryption algorithm on URL parameters (instead of the BIG-IP® default encryption function), in the Custom Encryption Function field, type your custom encryption function.
    Note: If you use a custom encryption function, you can not enable Real-Time Encryption on this URL. Real-Time Encryption encrypts passwords as the user types them.
    The custom encryption function encrypts all URL parameters where Encrypt is disabled and Substitute Value is enabled on the parameter.
  8. In the URL Configuration area, select Parameters.
  9. Type a parameter name in the text field and click the Add button.
    The parameter name is added to the list of parameters in the table.
  10. In the parameter row in the table, do the following:
    • Select the Encrypt check box.
    • If the parameter is for a password field and you want to use substitute values when the user inputs the password, select the Substitute Value check box.
      Note: If you assign the Substitute Value attribute to a password parameter, the web browser’s auto-complete feature for passwords does not work on this parameter.
    Important: If you want a custom encryption function to be applied to this parameter, do not select the check boxes for both Encrypt and Substitute Value on the parameter. If you do this, the custom encryption function will not be applied to this parameter.
  11. Repeat steps 9 and 10 for every URL parameter you want the system to encrypt.
  12. Click Save.
    The URL configuration settings are saved.
If the form action in the http request from the URL you created above does not refer to the URL you created above, you need to also configure a URL for decrypted data.

Applying AJAX Encryption on a URL

You can apply AJAX encryption on a URL if the web page of your URL sends AJAX data and you want it to be encrypted.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click URL List.
    The URL List opens.
  4. Select the URL on which you want to apply AJAX encryption.
    The URL Properties screen appears.
  5. In URL Configuration area, select Application Layer Encryption.
    The Application Layer Encryption settings are displayed.
  6. Select the Enabled check box for the Full AJAX Encryption setting.
  7. If your URL uses JSON format for submitting data, do the following:
    1. On the left, under URL Configuration, select Parameters.
    2. Type a parameter name or ID in the text field and click Add.
      The parameter name or ID is added to the list of parameters in the table.
    3. In the parameter row in the table, select both the Encrypt check box and the Substitute Value check box.
    4. In the AJAX Mapping text box, type a mapping key for the parameter that is sent from the client to the server.
      For example, if you have a single page application form with an input field name or ID called A and you want to send it in the B key in the JSON file, type B in this text box.
      Note: If the input field name or ID in the HTML of your web page has the same name or ID as the key of the JSON file, you do not need to type a mapping key in this text box.
  8. Click Save.
    The URL configuration settings are saved.

Configuring a URL for decrypting data

You need to configure a separate URL for decrypted data only if the form action in the HTTP request from the client does not refer to the URL from which the request is being sent.
Configure a URL for decrypted data to ensure that your server can read and verify encrypted data that was sent from the client.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click URL List.
    The URL List opens.
  4. Select the check box next to the URL where the client sends encrypted data.
  5. Click the Clone button.
    The Clone URL pop-up screen opens.
  6. In the URL Path field, type the URL that is referred to in the form action of the HTTP request.
  7. Optional: In the Description field, type a description for the URL.
  8. If you don’t want to encrypt data on the web page of the URL that you are cloning, disable the Inject JavaScript setting.
  9. Click the Clone button in the Clone URL pop-up screen.
    Note: A cloned URL inherits all properties from the original URL, including parameters. However, once the cloned URL is created, there is no further dependency, and any future changes made in the original URL are not inherited by the cloned URL.

Configuring HTML field obfuscation

Before configuring HTML field obfuscation, Application Layer Encryption must be enabled on the URL.
Configure HTML field obfuscation if you want the BIG-IP® system to encrypt the name attribute of all defined HTML <input> fields, and then decrypt them back to the original name on the BIG-IP system.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click URL List.
    The URL List opens.
  4. Select the URL on which you want to configure HTML field obfuscation.
    The URL Properties screen appears.
  5. In URL Configuration area, select Application Layer Encryption.
    The Application Layer Encryption settings are displayed.
  6. Select the Enabled check box for the HTML Field Obfuscation setting.
    The Add Decoy Inputs and Remove Element IDs fields are displayed.
  7. Select the Enabled check box for the Add Decoy Inputs setting if you want the system to randomly, and continuously, generate and remove decoy <input> fields that are added to the web page.
    Enabling Add Decoy Inputs makes it harder for an attacker to identify sensitive information with either JavaScript or a proxy.
  8. Select the Enabled check box for the Remove Element IDs setting if you want the system to remove the ID attribute from URL parameters that have the Obfuscate property.
  9. In the URL Configuration area, select Parameters.
  10. Type a parameter name in the text field and click the Add button.
    The parameter name is added to the list of parameters in the table.
  11. In the parameter row within the table, select Obfuscate.
  12. Repeat steps 10 and 11 for every URL parameter you want the system to obfuscate.
  13. Click Save.
    The URL configuration settings are saved.

Removing JavaScript event listeners from URL parameters

Before you can remove JavaScript event listeners from URL parameters, Application Layer Encryption must be enabled on the URL.
You can remove JavaScript event listeners from URL parameters to protect sensitive data in URL parameters from being obtained by potential attackers.
Note: Some web applications add non-malicious event listeners that improve functionality. If you choose to activate removal of event listeners on URL parameters, this will remove all event listeners, including non-malicious ones added by the web application. You should take this into account before deciding to activate removal of event listeners.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click URL List.
    The URL List opens.
  4. Select the URL on which you want to remove JavaScript event listeners.
    The URL Properties screen opens.
  5. In URL Configuration area, select Application Layer Encryption.
    The Application Layer Encryption settings are displayed.
  6. Select the Enabled check box for the Remove Event Listeners setting.
  7. In the URL Configuration area, select Parameters.
  8. Type a parameter name in the text field and click the Add button.
    The parameter name is added to the list of parameters in the table.
  9. In the parameter row within the table, select Obfuscate or Substitute Value.
    Note: If you assign the Substitute Value attribute to a password parameter, the web browser’s auto-complete feature for passwords does not work on this parameter.
  10. Repeat steps 8 and 9 for every URL parameter on which you want to remove JavaScript event listeners.
  11. Click Save.
    The URL configuration settings are saved.

Configuring advanced encryption on a URL

Before configuring advanced encryption on a URL, Application Layer Encryption must be enabled on the URL.
Configure advanced encryption on a URL if you want to apply on your URL the advanced encryption methods provided by BIG-IP® DataSafe™.
  1. On the Main tab, click Security > Data Protection > DataSafe Profiles .
    The DataSafe Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click URL List.
    The URL List opens.
  4. Select the URL on which you want to apply advanced encryption methods.
    The URL Properties screen appears.
  5. In URL Configuration area, select Application Layer Encryption.
    The Application Layer Encryption settings are displayed.
  6. Select the Enabled check box for the Identify Stolen Credentials setting.
    When this setting is enabled, the system examines whether the user is trying to use a password that was stolen from a parameter where Substitute Value is enabled.
  7. Select the Enabled check box for the Hide Password Revealer Icon setting.
    When this setting is enabled, the system hides the password revealer icon on a web page, for browsers that use a password revealer icon (for example, Internet Explorer versions 10 and later).
    Note: If you are using JavaScript Function for Substitute Values or Custom Encryption Function, you must enable Hide Password Revealer Icon. Otherwise, the user will see the actual substitute value if the user clicks the Password Revealer icon in the browser.
  8. Select the Enabled check box for the Keylogger Protection setting.
    When this setting is enabled, the system protects against in-browser key loggers.
  9. Select the Enabled check box for the Real-Time Encryption setting.
    Real-Time Encryption encrypts input field parameters as the user types them.
    Note:
    • The Real-Time Encryption setting does not appear if you don't have at least one parameter on your URL with the Encrypt property.
    • Real-Time Encryption cannot be enabled on the URL if you are also using a custom encryption function.
  10. If you do not want to use the default BIG-IP DataSafe JavaScript function for assigning substitute values for HTML password input fields and prefer to use your own JavaScript function, in the JavaScript Function for Substitute Values field, type your JavaScript function.
    The JavaScript function you type here must return substitute values for all passwords input field parameters where Substitute Value is enabled on the parameter. If you leave this field blank, the default BIG-IP DataSafe JavaScript function is used.
  11. Click Save.
    The URL configuration settings are saved.