"For AES-GCM encryption, use the optional salt flag. This flag is used to randomize the keys, which are generated from the passphrase, and the Initialization Vectors (IV)."
"In AES-256-GCM-SHA384 encryption, the SHA384 hash of the key, which is 384 bits value, is used to encrypt the value using the AES-GCM algorithm. The base 64 of this encrypted value is then inserted in the x-header."
Here's how AES-256-GCM-sha384 probably works:
0) Initial data What we are given to perform encryption is the following: - passPhrase, salt, plainText. - "passPhrase" is set in the config and is constant (important: "passPhrase" is defined in the config as "key"). - "salt" is random 8-byte long string, which is generated before every encryption. - "plainText" is 9-digit MSISDN (e.g. "502160992").
1) Hashing sha384_hash(salt + passPhrase) - the input to the hash fucntion is concatination of "salt" and "passPhrase". - the order is important, "salt" goes first, then "passPhrase". - the output of the hash function is 48 bytes long. - KEY is the first 32 bytes of the 48 bytes. (a) IV is the following 12 bytes (4 last bytes are dropped). (b) alternatively IV is the rest of the hash (16 bytes).
2) Encryption aes_256_gcm_encrypt(KEY, IV, plainText) - the input to the encryption function is KEY, IV and "plainText". - KEY.length is 32 bytes. - IV.length is 12 bytes (or alternatively, 16 bytes). - the output is "chipherText" and "authTag". - authTag.length is 16 bytes.
3) Encoding base64_encode(salt + authTag + chipherText) - the input to the base64 encoding fucntion is concatination of "salt", "authTag", and "chipherText". - the order is important, "salt" goes first, then "authTag", and "chipherText" at the end. - salt.length is 8 bytes. - authTag.length is 16 bytes. - chipherText.length is the rest (11 bytes, given "plainText" is 9-digit MSISDN). - the output is base64 encoded string, which is sent as "X-MSISDN" header value.
Here's some pseudo code for easier reading:
salt = ... //salt is randomly generated before every encryption, length is 8 bytes.
passPhrase = ... // passPhrase is constant, length might differ.
hash = hash_sha384(concatenate[salt, passPhrase]) // hash length is 48 bytes.
KEY = hash.slice(0,32) // KEY length is 32 bytes.
IV = hash.slice(32,44) // IV length is 12 bytes (alternately it might be 16 bytes).
cipherText = aes_256_gcm(KEY, IV, plainText) // chipherText length is 11 bytes, given that plainText length is 9 bytes.
authTag = aes_256_gcm(KEY, IV, plainText).getAuthTag() //authTag length is 16 bytes.
Are you ready for Cisco Live, Melbourne? Either way, join us for the first ever #CiscoChat LIVE! from Australia. We’ve gathered up a fantastic cast of characters to chat with you about security, wireless, mobility, 49ers, Vegemite, and security. Mostly se...
Join us for the first ever #CiscoChat LIVE from Australia on Thursday, February 28 at 3 pm PT (that's Friday, March 1 at 10 am AERT).
We’ve gathered up a fantastic cast of characters to chat with you about security, wireless, mobility, 49ers, Vegem...
This November we announced a number of partners that joined the Cisco Security Technical Alliance (CSTA). From that list, we had five new partners that are adopting pxGrid—CloudPost Networks, DB Networks, Securonix, TriagingX and WireX Systems are adoptin...
The pxGrid development team launched a series of video tutorials that you can use to learn how to integrate your application into pxGrid. This 8-part tutorial series helps kickstart your development effort by starting with the basics of pxGrid and m...
Cisco pxGrid has come a long way since it was launched as part of Cisco ISE 1.3. As of today, we have over 40 vendors adopting pxGrid with more joining in our next launch targeted for January 2017. Our last launch in June this year saw UBA, CASB and Netwo...