Dear all,
I'm a (java) software developer and I need to create a config with an encrypted password, without the possibility to use an HPE device while creating this config.
I found this documentation about setting an encrypted password:
https://techhub.hpe.com/eginfolib/networking/docs/switches/K-KA-KB/15-18/5998-8150_access_security_guide/content/s_setting_an_encrypted_password.html
What I've learned there is that the password should be a base64–encoded aes256–encrypted string, but this is mainly used to save and restore an existing config. I would create a NEW config. Is this possible at all?
The device is an HPE Aruba switch 5406Rzl2, running as software image: KB.16.08.0003 (May 2 2019 19:24:36)
The commands I have executed are:
HP-Switch-5406Rzl2# erase all
<reboot etc.>
HP-Switch-5406Rzl2# configure terminal
HP-Switch-5406Rzl2(config)# encrypt-credentials pre-shared-key plaintext testkey
Save config and continue (y/n)? y
HP-Switch-5406Rzl2(config)# encrypt-credentials
**** CAUTION ****
This will encrypt all passwords and authentication keys.
<cut>
Save config and continue (y/n)? y
HP-Switch-5406Rzl2(config)# show encrypt-credentials
Encryption : Enabled
Pre-shared Key: 98483c6eb40b6c31a448c22a66ded3b5e5e8d5119cac8327b655c8b5c4836489
HP-Switch-5406Rzl2(config)# encrypted-password manager user-name testuser 79hk2jDW8AHzUYIFCh767A==
Value 79hk2jDW8AHzUYIFCh767A== is invalid.
As you can see, the device returns that the value is invalid!
The code I used to create the value is:
final byte[] ky=DatatypeConverter.parseHexBinary("98483c6eb40b6c31a448c22a66ded3b5e5e8d5119cac8327b655c8b5c4836489");
final byte[] iv = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
String encrypted= new Aes256cbc(ky,iv).encrypt("testpassword");
Where Aes256cbc is defined as this class:
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.bind.DatatypeConverter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class Aes256cbc {
private static final String ALGORITHM = "AES";
private static final Logger LOGGER=LoggerFactory.getLogger(Aes256cbc.class);
private final byte[] key;
private final byte[] iv;
public Aes256cbc(byte[] key,byte[] iv) {
this.key = key;
this.iv = iv;
}
public String encrypt(final String plainText) {
final byte[] plainTextAsByteArray=plainText.getBytes();
final SecretKeySpec secretKey = new SecretKeySpec(key, ALGORITHM);
final IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
byte[] resultAsBytearray=null;
try {
final Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, secretKey, ivParameterSpec);
resultAsBytearray=cipher.doFinal(plainTextAsByteArray);
} catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException | InvalidAlgorithmParameterException | IllegalBlockSizeException | BadPaddingException e) {
LOGGER.error("encrypt",e);
}
return resultAsBytearray!=null ? DatatypeConverter.printBase64Binary(resultAsBytearray) : null;
}
}
- Can you tell my whether or not I make a fundamental error?
- Is it possible what I would like to accomplish?
- Can you maybe give me some hints to fulfill my need to encrypt a plaintext password, which can be used to configure the device? (preferably in java, but a pseudo/other language is ok too)
Thanks in advance!