cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1774
Views
0
Helpful
0
Replies

ASR5500, StarOS v21.11, Header Enrichment, AES-256-GCM-SHA384, encryption/decryption

Max_Sutormin
Level 1
Level 1

I went through the documentation and also had a few conversations with my colleagues but it is still unclear how exactly AES-256-GCM-SHA384 works.

 

Here's my understanding of what we need to encrypt and decrypt when we use AES-256-GCM.

 

1) To encrypt we need:

- key (32 bytes), probably derived from passPhrase and salt

- iv (12 bytes, typically), probably derived from passPhrase and salt

- plainText

And as a result I would expect to get: 

- authentication tag (16 bytes)

- cipherText

 

2) To decrypt we need:

- key (32 bytes)

- iv (12 bytes, typically)

- authentication tag (16 bytes)

- cipherText

And as a result I would expect to get:

- plainText

 

================================

Here's what I see in the documentation:

================================

 

"For AES-GCM encryption, use the optional salt flag. This flag is used to randomize the keys, which are generated from the passphrase, and the Initialization Vectors (IV)."

Does it mean that "key" and "iv" is derived from passphrase and salt?

 

"In AES-256-GCM-SHA384 encryption, the SHA384 hash of the key, which is 384 bits value, is used to encrypt the value using the AES-GCM algorithm. The base 64 of this encrypted value is then inserted in the x-header."

How come the hash is used (48 bytes), whereas the key must be 32 bytes? 

_____________________________

https://www.cisco.com/c/en/us/td/docs/wireless/asr_5000/21-11_6-5/ECS-Admin/21-11-ECS-Admin/21-11-ECS-Admin_chapter_011010.html#id_39217

 

***

 

encryption aes-256-gcm-sha384 [ salt ] [ encrypted ] key key

"Use aes-256-gcm-sha384 option to encrypt the x-header fields with AES-256-GCM algorithm and SHA384 to hash key in 384 bits.

Use the [ salt ] option for enhanced security. Use this additional option by generating new key each time the x-header is encrypted.

Use key option to enter the key that is used to encrypt and decrypt the x-header string. The key length for AES-256-GCM-SHA384 algorithm is 32 characters, which is equal to 256 bits."

_____________________________

https://www.cisco.com/c/en/us/td/docs/wireless/asr_5000/21-14_6-8/CLI/A-B/21-14-A-B_CLI_Reference/21-14-A-B_CLI_Reference_chapter_01001.html

 

 

So my questions are:

- what is used to encrypt? "key" and "iv"?

- what is the length of the "key"? 32 bytes?

- what is the length of "iv"? 12 bytes?

- how is "key" generated? the first 32 bytes of sha384 hash of "salt" + "passPhrase"?

- how is "iv" generated? some bytes of of sha384 hash of "salt" + "passPhrase"?

- what is "passPhrase" in relation to the config, because in the config I see only "key"?

- what is inserted into the header after the encryption? base64_encode("salt"+"auth_tag"+"cipherText")?

 

Thank you!

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: