09-07-2010 01:45 AM - edited 03-21-2019 09:29 AM
Currently we provision our customers' adaptors by providing each adaptor the address of a TFTP server as part of the DHCP response. The config files reside on the server but presently in unencrypted form. How can we encrypt these and still have the adaptor understand them? The documentation does give a couple of hints but is confusing and seems to assume an https solution, which isn't really appropriate given the TFTP solution we use (we could change, but it is an upheaval I would rather avoid - I'd rather simply provide encrypted files on the TFTP server).
10-08-2010 12:33 AM
i've created the files.Thos should work.
i've used these commands.
gzip 00259c6d0845.xml
openssl enc -e -aes-256-cbc -k 123456789 -in 00259c6d0845.xml.gz -out 00259c6d0845.cfg
in the specific ATA box set this as a profile rule:
[--key 123456789]tftp://addresstotftp/$MA.cfg
(change also these settings so the "download" goes faster
-
-
in the webgui)
btw.
i see that one of the files got renamed from 00259c6d0845.cfg to 00259c6d0845.cfg.zip
remember to rename the file back to .cfg
10-08-2010 12:39 AM
btw. the cfg file can be decompiled using these commands
openssl enc -d -aes-256-cbc -k 123456789 -in 00259c6d0845.cfg -out 00259c6d0845.xml.gz
uncompress 00259c6d0845.xml.gz
you should then be able to read the xml file. i've tested it here and it works on those files
10-17-2010 11:51 PM
i've created the files.Thos should work.
i've used these commands.
gzip 00259c6d0845.xml
openssl enc -e -aes-256-cbc -k 123456789 -in 00259c6d0845.xml.gz -out 00259c6d0845.cfgin the specific ATA box set this as a profile rule:
[--key 123456789]tftp://addresstotftp/$MA.cfg
Thanks, but if you read the rest of the thread, Alberto says you can use the MAC as the passphrase for en/decryption. I guess from your own experiences you found this wasn't true and that is why you are using the [--key 123456789]?
We basically have a number of config files, each "pointing" to the next. That is, init.cfg has e profile_rule_b entry that points to ata_linksys_$PN.cfg, which in turn contains a profile_rule_c entry pointing to $MA.cfg. Even if I can somehow add something to the profile_rule_c entry to indicate the passphrase, that does not seem any more secure than leaving the file unencrypted on the tftp server (since the previous files are unencrypted and would have the passphrase in cleartext in them).
This entire area seems rather shambolic on the part of Linksys.
10-18-2010 03:16 AM
Dear Sirs;
In the case of using the MAC, can you please let me know the commands as well as the profile rule you are using?
This should work properly.
Regards;
Alberto
10-18-2010 11:29 PM
openssl enc -e -aes-256-cbc -k 00259C010203 -in 00259C010203.xml.gz -out 00259C010203.xml.gz
The profile decrypts perfectly with
openssl enc -d -aes-256-cbc -k 00259C010203 -in 00259C010203.xml.gz.openssl -out 00259C010203.xml.gz
The file is definitely being requested from the TFTP server.
10-19-2010 12:50 AM
I can see one fault in you command and that is:
openssl enc -e -aes-256-cbc -k 00259C010203 -in 00259C010203.xml.gz -out 00259C010203.xml.gz
Should be
openssl enc -e -aes-256-cbc -k 00259C010203 -in 00259C010203.xml.gz -out 00259C010203.cfg
10-19-2010 02:46 AM
I can see one fault in you command and that is:
openssl enc -e -aes-256-cbc -k 00259C010203 -in 00259C010203.xml.gz -out 00259C010203.xml.gz
Should be
openssl enc -e -aes-256-cbc -k 00259C010203 -in 00259C010203.xml.gz -out 00259C010203.cfg
I changed the filename ending but it didn't make any difference.
10-19-2010 02:48 AM
Is this the command you are using as a profile rule on the unit?
?
Remember to add [--key 00259C01020] in front of the URL.
10-19-2010 03:52 AM
Is this the command you are using as a profile rule on the unit?
/ata_linksys_pap2t/$MA.cfg ?
Yes. In another config file on the tftp server actually.
Remember to add [--key 00259C01020] in front of the URL.
[--key 00259C01020]/ata_linksys_pap2t/$MA.cfg
No, because:
amontill wrote:
you can encrypt them using e.g. the MAC address as the encryption key of the device. [...] basically you need to encrypt the file (using SPC) with the key (recommend MAC address as then you dont need to pass the key to the device), and then in the device profile rule, need to include the encryption key as a token.
(My emphasis)
Admittedly, that's not very clear, but it was clarified a couple of posts later:
amontill wrote:
If the paraphrase is the MAC or serial number, it is not required as these are MACRO variables on the device.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide