Converting data hashed using the Generate Security Hash assertion
search cancel

Converting data hashed using the Generate Security Hash assertion


Article ID: 42960


Updated On:


STARTER PACK-7 CA Rapid App Security CA API Gateway




The Generate Security Hash assertion is used to generate cryptographic hashes of provided data in order to provide rudimentary data integrity checking. The assertion can provide hash-based message authentication codes?to hash data with a secret cryptographic key. It can also provide unauthenticated hashing with simple cryptographic hash algorithms such as MD5, SHA-1, or SHA-256. The Gateway will provide these hashes as a context variable to be utilized or leveraged in a published service policy. In some circumstances, a hash function performed by the Gateway may not match a hash function performed by an external tool


A service policy might be invoked that runs a SHA-1 hash function against a string:?helloworld. This would be executed using the Generate Security Hash?assertion as follows:

<Please see attached file for image>

An assertion configured to generate a SHA-1 hash of a string

This would result in the following hash sum being presented:

<Please see attached file for image>

An audit record displaying the hashed value of a string

This hash sum may not match the hash sum provided by certain tools such as online hash generators, Linux-based hash generators (such as sha1sum or md5sum), or applications or functions within other programming languages. For example, the hashed value displayed above is a hash some that has been Base64-encoded from the raw binary data. Most tools and functions present hashed data encoded in Base16. For example, a comparison of the SHA-1 sum generated by the Policy Manager and a SHA-1 sum generated using the `sha1sum` tool from Unix is:
Gateway: at+xg6SiyUovktq1redipHiJpaE=
sha1sum: 6adfb183a4a2c94a2f92dab5ade762a47889a5a1

There is a marked difference between the two. It is immediately clear that the top result is Base64-encoded whereas the bottom result is Base16-encoded. This gap must be addressed in order to accommodate for certain external applications and endpoints that may present SHA-1 hashes in Base16.


A Gateway service policy can be authored to decode and re-encode hashed data into an appropriate format. A hash operation is performed upon binary data and then encoded in a certain way for consumption. The Gateway encodes the raw hashed binary data in Base64 whereas other applications might encode it in Base16. The following service policy displayed below will hash a string, decode it, and re-encode it in Base16:

<Please see attached file for image>

A service policy that decodes and re-encodes hashed data into other formats.

This service will generate a particular security hash, decode it into raw binary data and then re-encode it in base16. Auditing a string of "helloworld" would show the following results for each hashing operation:

<Please see attached file for image>

An audit record displaying the hashed values of a string

In the example above, the base64-encoded hash is printed first and the base16-encoded hash is printed second.

A service policy that is capable of this transformation is attached to this article.



Component: APIGTW


1558722860687000042960_sktwi1f5rjvs16wmj.jpeg get_app
1558722858653000042960_sktwi1f5rjvs16wmi.jpeg get_app
1558722856687000042960_sktwi1f5rjvs16wmh.jpeg get_app
1558722854570000042960_sktwi1f5rjvs16wmg.jpeg get_app get_app