Developer

last person joined: 3 days ago 

HP-Switch-5406Rzl2 - Set encrypted-password - Value is invalid

  • 1.  HP-Switch-5406Rzl2 - Set encrypted-password - Value is invalid

    Posted Jul 23, 2020 10:27 AM

    Dear all,

     

    I'm a (java) software developer and I need to create a config with an encrypted password, without the possibility to use an HPE device while creating this config.

     

    I found this documentation about setting an encrypted password:

    https://techhub.hpe.com/eginfolib/networking/docs/switches/K-KA-KB/15-18/5998-8150_access_security_guide/content/s_setting_an_encrypted_password.html

    What I've learned there is that the password should be a base64–encoded aes256–encrypted string, but this is mainly used to save and restore an existing config. I would create a NEW config. Is this possible at all?

     

    The device is an HPE Aruba switch 5406Rzl2, running as software image: KB.16.08.0003 (May  2 2019 19:24:36)

                   

    The commands I have executed are:

     

    HP-Switch-5406Rzl2# erase all
    
    <reboot etc.>
    
    HP-Switch-5406Rzl2# configure terminal
    
    HP-Switch-5406Rzl2(config)# encrypt-credentials pre-shared-key plaintext testkey
    
    Save config and continue (y/n)? y
    
    HP-Switch-5406Rzl2(config)# encrypt-credentials
    
     
    
                                  **** CAUTION ****
    
     
    
    This will encrypt all passwords and authentication keys.
    
    <cut>
    
    Save config and continue (y/n)? y
    
     
    
    HP-Switch-5406Rzl2(config)# show encrypt-credentials
    
     
    
    Encryption    : Enabled
    
    Pre-shared Key: 98483c6eb40b6c31a448c22a66ded3b5e5e8d5119cac8327b655c8b5c4836489
    
     
    
    HP-Switch-5406Rzl2(config)# encrypted-password manager user-name testuser 79hk2jDW8AHzUYIFCh767A==
    
    Value 79hk2jDW8AHzUYIFCh767A== is invalid.

     

     

    As you can see, the device returns that the value is invalid!

     

    The code I used to create the value is:

     

    final byte[] ky=DatatypeConverter.parseHexBinary("98483c6eb40b6c31a448c22a66ded3b5e5e8d5119cac8327b655c8b5c4836489");
    final byte[] iv = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
    String encrypted= new Aes256cbc(ky,iv).encrypt("testpassword");

     

     

    Where Aes256cbc is defined as this class:

     

    import java.security.InvalidAlgorithmParameterException;
    import java.security.InvalidKeyException;
    import java.security.NoSuchAlgorithmException;
    
    import javax.crypto.BadPaddingException;
    import javax.crypto.Cipher;
    import javax.crypto.IllegalBlockSizeException;
    import javax.crypto.NoSuchPaddingException;
    import javax.crypto.spec.IvParameterSpec;
    import javax.crypto.spec.SecretKeySpec;
    import javax.xml.bind.DatatypeConverter;
    
    import org.slf4j.Logger;
    import org.slf4j.LoggerFactory;
    
    public class Aes256cbc {
        private static final String ALGORITHM = "AES";
        private static final Logger LOGGER=LoggerFactory.getLogger(Aes256cbc.class);
        
        private final byte[] key;
        private final byte[] iv;
    
        public Aes256cbc(byte[] key,byte[] iv) {
            this.key = key;
            this.iv = iv;
        }
    
        public String encrypt(final String plainText) {
            final byte[] plainTextAsByteArray=plainText.getBytes();
            final SecretKeySpec secretKey = new SecretKeySpec(key, ALGORITHM);
            final IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
            
            byte[] resultAsBytearray=null;
    
            try {
                final Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
                cipher.init(Cipher.ENCRYPT_MODE, secretKey, ivParameterSpec);
                resultAsBytearray=cipher.doFinal(plainTextAsByteArray);
            } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException | InvalidAlgorithmParameterException | IllegalBlockSizeException | BadPaddingException e) {
                LOGGER.error("encrypt",e);
            }
    
            return resultAsBytearray!=null ? DatatypeConverter.printBase64Binary(resultAsBytearray) : null;
        }
    }

     

     

    • Can you tell my whether or not I make a fundamental error?
    • Is it possible what I would like to accomplish?
    • Can you maybe give me some hints to fulfill my need to encrypt a plaintext password, which can be used to configure the device? (preferably in java, but a pseudo/other language is ok too)

     

    Thanks in advance!