Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
834
Views
5
Helpful
1
Replies

Encryption on Application Gateway

anchoudh
Level 9
Level 9

‎11-09-2011 12:28 AM - edited ‎03-14-2019 08:51 AM

We are implementing the application gateway for a client in UK. All the functionality are done and its working perfectly.

Since its financial institution, Customer needs encryption option.  Customer is looking forward for encryption options in GED-145,  Application Gateway interface. I believe that application gateway  supports two types of encrypted connection (native or via IPSec). How to  achieve this encryption in Application Gateway.

In UCCE configuration manager, when we configure the Application  gateway, there is one attribute called Encryption. What will this  parameter do? There no much help provided for this particular option.

Labels:
0 Helpful
1 Reply 1

Gergely Szabo
VIP Alumni
VIP Alumni

‎11-09-2011 01:52 AM

Hi,

actually, it took me two days to figure it out - the documentation does not contain any relevant information. Contacted Cisco developer support - well, they just sent me the document which is available on their web anyway.

Now, if you pay me a hundred million dollars, I might be able I will tell you how to implement encryption on the GED-145 (application gateway) protocol.

The encryption used is actually DES, or, more specifically, its variant named Electronic Code Book (ECB), with no padding.

There's a preshared key on the ICM server running the Router > Application Gateway process, saved as a Windows registry key, at

HKEY_LOCAL_MACHINE\SOFTWARE\Cisco Systems, Inc.\ICM\[instanceName]\RouterA\Router\CurrentVersion\Configuration\ApplicationGateway called SessionKey, string "SESSIONK" by default.

When ICM Application Gateway first contacts the Application Gateway host, using the OPEN_REQ message, the third integer value will tell you wether to use encryption or not. The same message will contain the encrypted key (generated by ICM), encrypted using the preshared key, doubled (so instead of 8 bytes, it'll contain 16 bytes). You have decrypt it using the preshared kay. From now on, the payload of all messages must be encrypted/decrypted with that session key - so the QUERY_REQ and QUERY_RESP messages will have to look like: 4 bytes: message length, 4 bytes: message type, n bytes: encrypted payload. A new session key will be generated on ICM with a new session.

This provides end-to-end encryption between the ICM router and the host. Of course, it never hurts to combine this with IPSEC on the network level I guess if you are paranoid.

Hope this helps.

G.

Customers Also Viewed These Support Documents