Converting data hash hashes Generate Security Hash assertion layer7 api gateway assertion
search cancel

Converting data hash hashes Generate Security Hash assertion layer7 api gateway assertion

book

Article ID: 42960

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

Solution

Background

The Generate Security Hash assertion is used to generate cryptographic hashes of provided data in order to provide rudimentary data integrity checking. The assertion can provide hash-based message authentication codes?to hash data with a secret cryptographic key. It can also provide unauthenticated hashing with simple cryptographic hash algorithms such as MD5, SHA-1, or SHA-256. The Gateway will provide these hashes as a context variable to be utilized or leveraged in a published service policy. In some circumstances, a hash function performed by the Gateway may not match a hash function performed by an external tool

Presentation

A service policy might be invoked that runs a SHA-1 hash function against a string:?helloworld. This would be executed using the Generate Security Hash?assertion as follows:

This would result in the following hash sum being presented:

This hash sum may not match the hash sum provided by certain tools such as online hash generators, Linux-based hash generators (such as sha1sum or md5sum), or applications or functions within other programming languages. For example, the hashed value displayed above is a hash some that has been Base64-encoded from the raw binary data. Most tools and functions present hashed data encoded in Base16. For example, a comparison of the SHA-1 sum generated by the Policy Manager and a SHA-1 sum generated using the `sha1sum` tool from Unix is:
Gateway: at+xg6SiyUovktq1redipHiJpaE=
sha1sum: 6adfb183a4a2c94a2f92dab5ade762a47889a5a1

There is a marked difference between the two. It is immediately clear that the top result is Base64-encoded whereas the bottom result is Base16-encoded. This gap must be addressed in order to accommodate for certain external applications and endpoints that may present SHA-1 hashes in Base16.

  •  

Environment

Release:  API Gateway  11.x

Resolution

 

A Gateway service policy can be authored to decode and re-encode hashed data into an appropriate format. A hash operation is performed upon binary data and then encoded in a certain way for consumption. The Gateway encodes the raw hashed binary data in Base64 whereas other applications might encode it in Base16. The following service policy displayed below will hash a string, decode it, and re-encode it in Base16:

This service will generate a particular security hash, decode it into raw binary data and then re-encode it in base16. Auditing a string of "helloworld" would show the following results for each hashing operation:

In the example above, the base64-encoded hash is printed first and the base16-encoded hash is printed second.

 

Powered by Wolken Software