Topic
11 replies Latest Post - ‏2013-01-23T14:07:32Z by SystemAdmin
SystemAdmin
SystemAdmin
6772 Posts
ACCEPTED ANSWER

Pinned topic Password Encryption best approach.

‏2012-09-11T13:56:58Z |
Hi,

I am trying encrypt the password using the dp:encrypt-string(algorithm,key,text) extension function Algorithm is "http://www.w3.org/2001/04/xmlenc#aes256-cbc".
Key used is dp:generate-key('http://www.w3.org/2001/04/xmlenc#aes256-cbc')

It works with the above procedure, but would want to use the key generated out of the dp:generate-uuid() and encoded to base64 using dp:encode(string, method.

I am getting "invalid key length for algorithm" exception.

Working with the below approach.
<xsl:variable name="pwd"><xsl:value-of select="//*"/></xsl:variable>
<xsl:variable name="algorithm" select="'http://www.w3.org/2001/04/xmlenc#aes256-cbc'"/>
<xsl:variable name="session-key" select="dp:generate-key('http://www.w3.org/2001/04/xmlenc#aes256-cbc')"/>
<xsl:variable name="encryptedpwd" select="dp:encrypt-string($algorithm,$session-key,$pwd)"/>

Failed with the below approaches:

2) <xsl:variable name="session-key" select="concat('name:','CryptoKeyConfigured')"/>
<xsl:variable name="encryptedpwd" select="dp:encrypt-string($algorithm,$session-key,$pwd)"/>

3)<xsl:variable name="uuidGenerate" select="dp:generate-uuid()"/>

<xsl:variable name="session-key_uid" select="dp:encode($uuidGenerate,'base-64')"/>
<xsl:variable name="session-key" select="concat('key:',$session-key_uid)"/>
<xsl:variable name="encryptedpwd" select="dp:encrypt-string($algorithm,$session-key,$pwd)"/>
Please let me know your thoughts.

Thanks,
Updated on 2013-01-23T14:07:32Z at 2013-01-23T14:07:32Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    6772 Posts
    ACCEPTED ANSWER

    Re: Password Encryption best approach.

    ‏2012-09-11T14:55:02Z  in response to SystemAdmin
    Hi

    For 2, do you have an existing shared secret key object configured in your application domain that is in the correct format? (it should be hex encoded and begin with 0x)

    3 won't work properly since the actual output from dp:generate-uuid() contains hyphens and would be 36 characters long, not 32 bytes.

    Why do you prefer to use dp:generate-uuid() instead of dp:generate-key()? The latter function was specifically designed to generate crypto keys while the former was not.
    • SystemAdmin
      SystemAdmin
      6772 Posts
      ACCEPTED ANSWER

      Re: Password Encryption best approach.

      ‏2012-09-12T09:19:25Z  in response to SystemAdmin
      Hi Peter,

      I have generated the key and certificate .pem files using the DataPower crypto tool feature and created the Shared Secret Key object loading the key generated out of the Crypto tool and used that object as "name:configuredSharedSecretKey" key in encrypt-String() function. I'am getting "Invalid Key length for Algorithm" error.

      When we use the session-key approach the key is generated out of the code and it has to be placed in the configuration file, so the above approach was choosen as the best.

      You mean the certificate/key should have hex encoded? to form the shared secret key.

      Thanks, seeni
      • SystemAdmin
        SystemAdmin
        6772 Posts
        ACCEPTED ANSWER

        Re: Password Encryption best approach.

        ‏2012-09-12T13:59:37Z  in response to SystemAdmin
        No, the .pem files and associated objects generated using the crypto tool are private/public keys used for assymetric crypto operations. dp:encrypt-string() performs symmetric encryption so you must use a symmetric key. The Crypto Shared Secret Key objects references a file stored on the appliance that contains a symmetric key. Please see the product doc for details on shared secret objects and their format.

        You can create new symmetric keys using the extension function dp:generate-key() like you've done above, or using third-party tools like openssl.
      • SystemAdmin
        SystemAdmin
        6772 Posts
        ACCEPTED ANSWER

        Re: Password Encryption best approach.

        ‏2012-09-12T14:13:46Z  in response to SystemAdmin
        Hi,

        1) Tried converting the Shared Secret key object to the base64 to make it hexadecimal but failed to identify the object with base64-cert extension function.
        <xsl:variable name="SharedSkeyObj" select="concat('name:','sharedsecretkeyobj')"/>
        <xsl:variable name="base64SSKeyObj" select="dp:base64-cert($SharedSkeyObj)" />

        2) Tried with CryptoKey object encoding to base64 then to hexadecimal and applied in the encrypt-String function
        getting Unknown key identifier

        <xsl:variable name="configCerObj" select="concat('name:',ConfigCrypto_key_obj')"/>
        <xsl:variable name="base64KeyObj" select="dp:base64-cert($configCerObj)" />
        <xsl:variable name="hexKeyObj" select="concat('0x',dp:radix-convert($base64KeyObj, 64, 16))" />
        <xsl:variable name="hexhexobj" select="concat('hex:',$hexKeyObj)"/>
        <xsl:variable name="encryptHexData" select="dp:encrypt-string($algorithm,$hexhexobj,$password)" />

        Please let me know your thoughts.
        Thanks
        • SystemAdmin
          SystemAdmin
          6772 Posts
          ACCEPTED ANSWER

          Re: Password Encryption best approach.

          ‏2012-09-12T14:18:16Z  in response to SystemAdmin
          Thanks for the input will update after the try.
          • SystemAdmin
            SystemAdmin
            6772 Posts
            ACCEPTED ANSWER

            Re: Password Encryption best approach.

            ‏2012-09-13T08:46:54Z  in response to SystemAdmin
            Generated the key using the open SSL with the following command.
            Command used in OPENSSL is : openssl rand -hex -out 0xshrd_secret.key 32
            Generated the 0xshrd_secret.key and have uploaded to the cert directory.

            Formed the Crypto Shared Secret key object 'openssl_hexkey'
            and used in the dp:encrypt-string() getting error *Invalid key length for algorithm*-->

            <xsl:variable name="SSkeyopensslhexObj" select="concat('name:','openssl_hexkey')"/>
            <xsl:variable name="encryptedpwd" select="dp:encrypt-string($algorithm,$SSkeyopensslhexObj,$password)" />

            Still getting the Invalid Key Length error.
            Should I add it to the sahredcert directory?

            Thanks,
            • SystemAdmin
              SystemAdmin
              6772 Posts
              ACCEPTED ANSWER

              Re: Password Encryption best approach.

              ‏2012-09-13T10:04:46Z  in response to SystemAdmin
              Addition to the above posting,
              Generated the key using openssl enc -aes-256-cbc -k secret -P -md sha1
              Received:
              salt=8638AF3906C9EA28
              key=2A7FE5C2265D43C163B57633F119513097905DE426243E155D06E82A8D7D9B76
              iv =55429509BF93DED3C23E0F21C5E5F335

              Saved the key value in sskey256.key file without any carriage returns etc.,
              Uploaded the openssl_256key.key to the cert directory and formed the Crypto Shared Secret Key object and used, still getting "Invalid KeyLength error".

              <xsl:variable name="SSkeyopenssl256obj" select="concat('name:','openssl_256key')"/>
              <xsl:variable name="encryptedpwd" select="dp:encrypt-string($algorithm,$SSkeyopenssl256obj,$password)" />
              Have also tried adding 0x to the key : 0x2A7FE5C2265D43C163B57633F119513097905DE426243E155D06E82A8D7D9B76

              Thanks,
              Srini
              • SystemAdmin
                SystemAdmin
                6772 Posts
                ACCEPTED ANSWER

                Re: Password Encryption best approach.

                ‏2012-09-13T10:38:24Z  in response to SystemAdmin
                Hi Peter,

                Finally I could able to encrypt and decrypt, changed the key format to .p12 instead of .key file.

                I appreciate your valuable inputs.

                Thanks,seena
                • SystemAdmin
                  SystemAdmin
                  6772 Posts
                  ACCEPTED ANSWER

                  Re: Password Encryption best approach.

                  ‏2012-09-13T11:34:50Z  in response to SystemAdmin
                  It is very inconsistent while decrypting, always it encrypts but while decrypting using dp:decrypt-data() extension function it throws error *Invalid key length (64 bytes) for algorithm 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'.

                  Have used the same Crypto Shared Secret Key object as the key.

                  Thanks
                  • SystemAdmin
                    SystemAdmin
                    6772 Posts
                    ACCEPTED ANSWER

                    Re: Password Encryption best approach.

                    ‏2012-09-15T16:53:51Z  in response to SystemAdmin
                    adding the 0x to the secret key generated will resolves the issue

                    Regards,
                    Salla
                    • SystemAdmin
                      SystemAdmin
                      6772 Posts
                      ACCEPTED ANSWER

                      Re: Password Encryption best approach.

                      ‏2013-01-23T14:07:32Z  in response to SystemAdmin
                      Further addition to that, I would want to encrypt the data out side of the DataPower either through Java or OpenSSL using the same aes-256-cbc algorithm and pass that encrypted text in the payload using base-64 encoding to the DataPower service where it could decrypt using the symmetric key using the shared secret key object.

                      Getting the Data decryption failed: Invalid key length (64 bytes) for algorithm 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
                      openssl enc -aes-256-cbc -in pwd.txt -out pwdenc.txt
                      openssl enc -base64 -in pwdenc.txt -out pwdenc64.txt

                      While encoding i have provided the password "abc" and have used the same password in generating the key to make the .p12 file to form the Datapower shared secret key object.

                      openssl enc -aes-256-cbc -k abc -P -md sha1
                      salt=AAC1EFE8EC0A82AD
                      key=02EF88726155BFFD2959D5DCE55FD1B7A3FA517B740406BE70E4175CF80ECDF9
                      iv =B74CAA890602F9D9D9303A627FE016C0

                      saved the key as .p12 file to form the shared secret key object in datapower without 'key=' and have appended 0x to the key.

                      Any thoughts in this regard.

                      Thanks,
                      Srini