Developer Community

This community is currently in a read-only state due to a maintenance window. For more info click here
Reply
Highlighted
New Contributor

HP-Switch-5406Rzl2 - Set encrypted-password - Value is invalid

Dear all,

 

I'm a (java) software developer and I need to create a config with an encrypted password, without the possibility to use an HPE device while creating this config.

 

I found this documentation about setting an encrypted password:

https://techhub.hpe.com/eginfolib/networking/docs/switches/K-KA-KB/15-18/5998-8150_access_security_guide/content/s_setting_an_encrypted_password.html

What I've learned there is that the password should be a base64–encoded aes256–encrypted string, but this is mainly used to save and restore an existing config. I would create a NEW config. Is this possible at all?

 

The device is an HPE Aruba switch 5406Rzl2, running as software image: KB.16.08.0003 (May  2 2019 19:24:36)

               

The commands I have executed are:

 

HP-Switch-5406Rzl2# erase all

<reboot etc.>

HP-Switch-5406Rzl2# configure terminal

HP-Switch-5406Rzl2(config)# encrypt-credentials pre-shared-key plaintext testkey

Save config and continue (y/n)? y

HP-Switch-5406Rzl2(config)# encrypt-credentials

 

                              **** CAUTION ****

 

This will encrypt all passwords and authentication keys.

<cut>

Save config and continue (y/n)? y

 

HP-Switch-5406Rzl2(config)# show encrypt-credentials

 

Encryption    : Enabled

Pre-shared Key: 98483c6eb40b6c31a448c22a66ded3b5e5e8d5119cac8327b655c8b5c4836489

 

HP-Switch-5406Rzl2(config)# encrypted-password manager user-name testuser 79hk2jDW8AHzUYIFCh767A==

Value 79hk2jDW8AHzUYIFCh767A== is invalid.

 

 

As you can see, the device returns that the value is invalid!

 

The code I used to create the value is:

 

final byte[] ky=DatatypeConverter.parseHexBinary("98483c6eb40b6c31a448c22a66ded3b5e5e8d5119cac8327b655c8b5c4836489");
final byte[] iv = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
String encrypted= new Aes256cbc(ky,iv).encrypt("testpassword");

 

 

Where Aes256cbc is defined as this class:

 

import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;

import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.bind.DatatypeConverter;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class Aes256cbc {
    private static final String ALGORITHM = "AES";
    private static final Logger LOGGER=LoggerFactory.getLogger(Aes256cbc.class);
    
    private final byte[] key;
    private final byte[] iv;

    public Aes256cbc(byte[] key,byte[] iv) {
        this.key = key;
        this.iv = iv;
    }

    public String encrypt(final String plainText) {
        final byte[] plainTextAsByteArray=plainText.getBytes();
        final SecretKeySpec secretKey = new SecretKeySpec(key, ALGORITHM);
        final IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
        
        byte[] resultAsBytearray=null;

        try {
            final Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
            cipher.init(Cipher.ENCRYPT_MODE, secretKey, ivParameterSpec);
            resultAsBytearray=cipher.doFinal(plainTextAsByteArray);
        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException | InvalidAlgorithmParameterException | IllegalBlockSizeException | BadPaddingException e) {
            LOGGER.error("encrypt",e);
        }

        return resultAsBytearray!=null ? DatatypeConverter.printBase64Binary(resultAsBytearray) : null;
    }
}

 

 

  • Can you tell my whether or not I make a fundamental error?
  • Is it possible what I would like to accomplish?
  • Can you maybe give me some hints to fulfill my need to encrypt a plaintext password, which can be used to configure the device? (preferably in java, but a pseudo/other language is ok too)

 

Thanks in advance!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: