Converting data hashed using the Generate Security Hash assertion
search cancel

Converting data hashed using the Generate Security Hash assertion

book

Article ID: 42960

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

Solution

Background

The Generate Security Hash assertion is used to generate cryptographic hashes of provided data in order to provide rudimentary data integrity checking. The assertion can provide hash-based message authentication codes?to hash data with a secret cryptographic key. It can also provide unauthenticated hashing with simple cryptographic hash algorithms such as MD5, SHA-1, or SHA-256. The Gateway will provide these hashes as a context variable to be utilized or leveraged in a published service policy. In some circumstances, a hash function performed by the Gateway may not match a hash function performed by an external tool

Presentation

A service policy might be invoked that runs a SHA-1 hash function against a string:?helloworld. This would be executed using the Generate Security Hash?assertion as follows:

<Please see attached file for image>

An assertion configured to generate a SHA-1 hash of a string

This would result in the following hash sum being presented:

<Please see attached file for image>

An audit record displaying the hashed value of a string

This hash sum may not match the hash sum provided by certain tools such as online hash generators, Linux-based hash generators (such as sha1sum or md5sum), or applications or functions within other programming languages. For example, the hashed value displayed above is a hash some that has been Base64-encoded from the raw binary data. Most tools and functions present hashed data encoded in Base16. For example, a comparison of the SHA-1 sum generated by the Policy Manager and a SHA-1 sum generated using the `sha1sum` tool from Unix is:
Gateway: at+xg6SiyUovktq1redipHiJpaE=
sha1sum: 6adfb183a4a2c94a2f92dab5ade762a47889a5a1

There is a marked difference between the two. It is immediately clear that the top result is Base64-encoded whereas the bottom result is Base16-encoded. This gap must be addressed in order to accommodate for certain external applications and endpoints that may present SHA-1 hashes in Base16.

Resolution

A Gateway service policy can be authored to decode and re-encode hashed data into an appropriate format. A hash operation is performed upon binary data and then encoded in a certain way for consumption. The Gateway encodes the raw hashed binary data in Base64 whereas other applications might encode it in Base16. The following service policy displayed below will hash a string, decode it, and re-encode it in Base16:

<Please see attached file for image>

A service policy that decodes and re-encodes hashed data into other formats.

This service will generate a particular security hash, decode it into raw binary data and then re-encode it in base16. Auditing a string of "helloworld" would show the following results for each hashing operation:

<Please see attached file for image>

An audit record displaying the hashed values of a string

In the example above, the base64-encoded hash is printed first and the base16-encoded hash is printed second.

A service policy that is capable of this transformation is attached to this article.

Attachments:

Environment

Release:
Component: APIGTW

Attachments

1558722860687000042960_sktwi1f5rjvs16wmj.jpeg get_app
1558722858653000042960_sktwi1f5rjvs16wmi.jpeg get_app
1558722856687000042960_sktwi1f5rjvs16wmh.jpeg get_app
1558722854570000042960_sktwi1f5rjvs16wmg.jpeg get_app
1558534576289TEC0000001256.zip get_app
Powered by Wolken Software