Topic
  • 11 replies
  • Latest Post - ‏2013-01-23T14:07:32Z by SystemAdmin
SystemAdmin
SystemAdmin
6772 Posts

Pinned topic Password Encryption best approach.

‏2012-09-11T13:56:58Z |
Hi,

I am trying encrypt the password using the dp:encrypt-string(algorithm,key,text) extension function Algorithm is "http://www.w3.org/2001/04/xmlenc#aes256-cbc".
Key used is dp:generate-key('http://www.w3.org/2001/04/xmlenc#aes256-cbc')

It works with the above procedure, but would want to use the key generated out of the dp:generate-uuid() and encoded to base64 using dp:encode(string, method.

I am getting "invalid key length for algorithm" exception.

Working with the below approach.
<xsl:variable name="pwd"><xsl:value-of select="//*"/></xsl:variable>
<xsl:variable name="algorithm" select="'http://www.w3.org/2001/04/xmlenc#aes256-cbc'"/>
<xsl:variable name="session-key" select="dp:generate-key('http://www.w3.org/2001/04/xmlenc#aes256-cbc')"/>
<xsl:variable name="encryptedpwd" select="dp:encrypt-string($algorithm,$session-key,$pwd)"/>

Failed with the below approaches:

2) <xsl:variable name="session-key" select="concat('name:','CryptoKeyConfigured')"/>
<xsl:variable name="encryptedpwd" select="dp:encrypt-string($algorithm,$session-key,$pwd)"/>

3)<xsl:variable name="uuidGenerate" select="dp:generate-uuid()"/>

<xsl:variable name="session-key_uid" select="dp:encode($uuidGenerate,'base-64')"/>
<xsl:variable name="session-key" select="concat('key:',$session-key_uid)"/>
<xsl:variable name="encryptedpwd" select="dp:encrypt-string($algorithm,$session-key,$pwd)"/>
Please let me know your thoughts.

Thanks,
Updated on 2013-01-23T14:07:32Z at 2013-01-23T14:07:32Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Password Encryption best approach.

    ‏2012-09-11T14:55:02Z  
    Hi

    For 2, do you have an existing shared secret key object configured in your application domain that is in the correct format? (it should be hex encoded and begin with 0x)

    3 won't work properly since the actual output from dp:generate-uuid() contains hyphens and would be 36 characters long, not 32 bytes.

    Why do you prefer to use dp:generate-uuid() instead of dp:generate-key()? The latter function was specifically designed to generate crypto keys while the former was not.
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Password Encryption best approach.

    ‏2012-09-12T09:19:25Z  
    Hi

    For 2, do you have an existing shared secret key object configured in your application domain that is in the correct format? (it should be hex encoded and begin with 0x)

    3 won't work properly since the actual output from dp:generate-uuid() contains hyphens and would be 36 characters long, not 32 bytes.

    Why do you prefer to use dp:generate-uuid() instead of dp:generate-key()? The latter function was specifically designed to generate crypto keys while the former was not.
    Hi Peter,

    I have generated the key and certificate .pem files using the DataPower crypto tool feature and created the Shared Secret Key object loading the key generated out of the Crypto tool and used that object as "name:configuredSharedSecretKey" key in encrypt-String() function. I'am getting "Invalid Key length for Algorithm" error.

    When we use the session-key approach the key is generated out of the code and it has to be placed in the configuration file, so the above approach was choosen as the best.

    You mean the certificate/key should have hex encoded? to form the shared secret key.

    Thanks, seeni
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Password Encryption best approach.

    ‏2012-09-12T13:59:37Z  
    Hi Peter,

    I have generated the key and certificate .pem files using the DataPower crypto tool feature and created the Shared Secret Key object loading the key generated out of the Crypto tool and used that object as "name:configuredSharedSecretKey" key in encrypt-String() function. I'am getting "Invalid Key length for Algorithm" error.

    When we use the session-key approach the key is generated out of the code and it has to be placed in the configuration file, so the above approach was choosen as the best.

    You mean the certificate/key should have hex encoded? to form the shared secret key.

    Thanks, seeni
    No, the .pem files and associated objects generated using the crypto tool are private/public keys used for assymetric crypto operations. dp:encrypt-string() performs symmetric encryption so you must use a symmetric key. The Crypto Shared Secret Key objects references a file stored on the appliance that contains a symmetric key. Please see the product doc for details on shared secret objects and their format.

    You can create new symmetric keys using the extension function dp:generate-key() like you've done above, or using third-party tools like openssl.
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Password Encryption best approach.

    ‏2012-09-12T14:13:46Z  
    Hi Peter,

    I have generated the key and certificate .pem files using the DataPower crypto tool feature and created the Shared Secret Key object loading the key generated out of the Crypto tool and used that object as "name:configuredSharedSecretKey" key in encrypt-String() function. I'am getting "Invalid Key length for Algorithm" error.

    When we use the session-key approach the key is generated out of the code and it has to be placed in the configuration file, so the above approach was choosen as the best.

    You mean the certificate/key should have hex encoded? to form the shared secret key.

    Thanks, seeni
    Hi,

    1) Tried converting the Shared Secret key object to the base64 to make it hexadecimal but failed to identify the object with base64-cert extension function.
    <xsl:variable name="SharedSkeyObj" select="concat('name:','sharedsecretkeyobj')"/>
    <xsl:variable name="base64SSKeyObj" select="dp:base64-cert($SharedSkeyObj)" />

    2) Tried with CryptoKey object encoding to base64 then to hexadecimal and applied in the encrypt-String function
    getting Unknown key identifier

    <xsl:variable name="configCerObj" select="concat('name:',ConfigCrypto_key_obj')"/>
    <xsl:variable name="base64KeyObj" select="dp:base64-cert($configCerObj)" />
    <xsl:variable name="hexKeyObj" select="concat('0x',dp:radix-convert($base64KeyObj, 64, 16))" />
    <xsl:variable name="hexhexobj" select="concat('hex:',$hexKeyObj)"/>
    <xsl:variable name="encryptHexData" select="dp:encrypt-string($algorithm,$hexhexobj,$password)" />

    Please let me know your thoughts.
    Thanks
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Password Encryption best approach.

    ‏2012-09-12T14:18:16Z  
    Hi,

    1) Tried converting the Shared Secret key object to the base64 to make it hexadecimal but failed to identify the object with base64-cert extension function.
    <xsl:variable name="SharedSkeyObj" select="concat('name:','sharedsecretkeyobj')"/>
    <xsl:variable name="base64SSKeyObj" select="dp:base64-cert($SharedSkeyObj)" />

    2) Tried with CryptoKey object encoding to base64 then to hexadecimal and applied in the encrypt-String function
    getting Unknown key identifier

    <xsl:variable name="configCerObj" select="concat('name:',ConfigCrypto_key_obj')"/>
    <xsl:variable name="base64KeyObj" select="dp:base64-cert($configCerObj)" />
    <xsl:variable name="hexKeyObj" select="concat('0x',dp:radix-convert($base64KeyObj, 64, 16))" />
    <xsl:variable name="hexhexobj" select="concat('hex:',$hexKeyObj)"/>
    <xsl:variable name="encryptHexData" select="dp:encrypt-string($algorithm,$hexhexobj,$password)" />

    Please let me know your thoughts.
    Thanks
    Thanks for the input will update after the try.
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Password Encryption best approach.

    ‏2012-09-13T08:46:54Z  
    Thanks for the input will update after the try.
    Generated the key using the open SSL with the following command.
    Command used in OPENSSL is : openssl rand -hex -out 0xshrd_secret.key 32
    Generated the 0xshrd_secret.key and have uploaded to the cert directory.

    Formed the Crypto Shared Secret key object 'openssl_hexkey'
    and used in the dp:encrypt-string() getting error *Invalid key length for algorithm*-->

    <xsl:variable name="SSkeyopensslhexObj" select="concat('name:','openssl_hexkey')"/>
    <xsl:variable name="encryptedpwd" select="dp:encrypt-string($algorithm,$SSkeyopensslhexObj,$password)" />

    Still getting the Invalid Key Length error.
    Should I add it to the sahredcert directory?

    Thanks,
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Password Encryption best approach.

    ‏2012-09-13T10:04:46Z  
    Generated the key using the open SSL with the following command.
    Command used in OPENSSL is : openssl rand -hex -out 0xshrd_secret.key 32
    Generated the 0xshrd_secret.key and have uploaded to the cert directory.

    Formed the Crypto Shared Secret key object 'openssl_hexkey'
    and used in the dp:encrypt-string() getting error *Invalid key length for algorithm*-->

    <xsl:variable name="SSkeyopensslhexObj" select="concat('name:','openssl_hexkey')"/>
    <xsl:variable name="encryptedpwd" select="dp:encrypt-string($algorithm,$SSkeyopensslhexObj,$password)" />

    Still getting the Invalid Key Length error.
    Should I add it to the sahredcert directory?

    Thanks,
    Addition to the above posting,
    Generated the key using openssl enc -aes-256-cbc -k secret -P -md sha1
    Received:
    salt=8638AF3906C9EA28
    key=2A7FE5C2265D43C163B57633F119513097905DE426243E155D06E82A8D7D9B76
    iv =55429509BF93DED3C23E0F21C5E5F335

    Saved the key value in sskey256.key file without any carriage returns etc.,
    Uploaded the openssl_256key.key to the cert directory and formed the Crypto Shared Secret Key object and used, still getting "Invalid KeyLength error".

    <xsl:variable name="SSkeyopenssl256obj" select="concat('name:','openssl_256key')"/>
    <xsl:variable name="encryptedpwd" select="dp:encrypt-string($algorithm,$SSkeyopenssl256obj,$password)" />
    Have also tried adding 0x to the key : 0x2A7FE5C2265D43C163B57633F119513097905DE426243E155D06E82A8D7D9B76

    Thanks,
    Srini
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Password Encryption best approach.

    ‏2012-09-13T10:38:24Z  
    Addition to the above posting,
    Generated the key using openssl enc -aes-256-cbc -k secret -P -md sha1
    Received:
    salt=8638AF3906C9EA28
    key=2A7FE5C2265D43C163B57633F119513097905DE426243E155D06E82A8D7D9B76
    iv =55429509BF93DED3C23E0F21C5E5F335

    Saved the key value in sskey256.key file without any carriage returns etc.,
    Uploaded the openssl_256key.key to the cert directory and formed the Crypto Shared Secret Key object and used, still getting "Invalid KeyLength error".

    <xsl:variable name="SSkeyopenssl256obj" select="concat('name:','openssl_256key')"/>
    <xsl:variable name="encryptedpwd" select="dp:encrypt-string($algorithm,$SSkeyopenssl256obj,$password)" />
    Have also tried adding 0x to the key : 0x2A7FE5C2265D43C163B57633F119513097905DE426243E155D06E82A8D7D9B76

    Thanks,
    Srini
    Hi Peter,

    Finally I could able to encrypt and decrypt, changed the key format to .p12 instead of .key file.

    I appreciate your valuable inputs.

    Thanks,seena
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Password Encryption best approach.

    ‏2012-09-13T11:34:50Z  
    Hi Peter,

    Finally I could able to encrypt and decrypt, changed the key format to .p12 instead of .key file.

    I appreciate your valuable inputs.

    Thanks,seena
    It is very inconsistent while decrypting, always it encrypts but while decrypting using dp:decrypt-data() extension function it throws error *Invalid key length (64 bytes) for algorithm 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'.

    Have used the same Crypto Shared Secret Key object as the key.

    Thanks
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Password Encryption best approach.

    ‏2012-09-15T16:53:51Z  
    It is very inconsistent while decrypting, always it encrypts but while decrypting using dp:decrypt-data() extension function it throws error *Invalid key length (64 bytes) for algorithm 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'.

    Have used the same Crypto Shared Secret Key object as the key.

    Thanks
    adding the 0x to the secret key generated will resolves the issue

    Regards,
    Salla
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Password Encryption best approach.

    ‏2013-01-23T14:07:32Z  
    adding the 0x to the secret key generated will resolves the issue

    Regards,
    Salla
    Further addition to that, I would want to encrypt the data out side of the DataPower either through Java or OpenSSL using the same aes-256-cbc algorithm and pass that encrypted text in the payload using base-64 encoding to the DataPower service where it could decrypt using the symmetric key using the shared secret key object.

    Getting the Data decryption failed: Invalid key length (64 bytes) for algorithm 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
    openssl enc -aes-256-cbc -in pwd.txt -out pwdenc.txt
    openssl enc -base64 -in pwdenc.txt -out pwdenc64.txt

    While encoding i have provided the password "abc" and have used the same password in generating the key to make the .p12 file to form the Datapower shared secret key object.

    openssl enc -aes-256-cbc -k abc -P -md sha1
    salt=AAC1EFE8EC0A82AD
    key=02EF88726155BFFD2959D5DCE55FD1B7A3FA517B740406BE70E4175CF80ECDF9
    iv =B74CAA890602F9D9D9303A627FE016C0

    saved the key as .p12 file to form the shared secret key object in datapower without 'key=' and have appended 0x to the key.

    Any thoughts in this regard.

    Thanks,
    Srini