Discussion:
[lsc-users] How to crypt or decrypt an AES encrypted attribute (storing the password) ?
Xavier Montagutelli
2010-08-27 16:28:07 UTC
Permalink
Hello list,

I want to synchronise Active Directory from a LDAP directory. It works great,
thank you for LSC !

I want to store in LDAP the initial user password, encrypted with AES in a
dedicated attribute. In lsc.properties, I have :

lsc.security.encryption.keyfile = /path/to/secret-key-file
lsc.security.encryption.algorithm = AES
lsc.security.encryption.strength = 256

lsc.syncoptions.ldap2ad_user.unicodePwd.create_value =
AD.getUnicodePwd(SecurityUtils.decrypt(srcBean.getAttributeValueById("attributeForPwd")))

The attribute "attributeForPwd" is created from a perl script, with the
Crypt::OpenSSL::AES module. The SecurityUtils.decrypt raises an exception,
without any message.

I am not a Java expert, I don't know how the bouncycastle.org security
provider used by SecurityUtils works. In perl, I just do :

use Crypt::OpenSSL::AES;
...
open (CLE, "</path/to/secret-key-file");
my $cle = <CLE>;
close (CLE);
...
my $aes = Crypt::OpenSSL::AES->new($cle);
$pass_crypt = $aes->encrypt(sprintf("%16s", $pass));

(Note 1 : the jey is 32 bytes long.
Note 2 : I add extra spaces to the password, I still have to remove then in
the javascript code)

Is it compatible with SecurityUtils.decrypt ? Do I have to use something else
to crypt the password (CBC ??) ?

Any hint would be valuable ! Thank you.
--
Xavier Montagutelli Tel : +33 (0)5 55 45 77 20
Service Commun Informatique Fax : +33 (0)5 55 45 75 95
Universite de Limoges
123, avenue Albert Thomas
87060 Limoges cedex
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
http://lists.lsc-project.org/listinfo/lsc-users
Xavier Montagutelli
2010-09-07 07:45:49 UTC
Permalink
Post by Xavier Montagutelli
Hello list,
I want to synchronise Active Directory from a LDAP directory. It works
great, thank you for LSC !
I want to store in LDAP the initial user password, encrypted with AES in a
lsc.security.encryption.keyfile = /path/to/secret-key-file
lsc.security.encryption.algorithm = AES
lsc.security.encryption.strength = 256
lsc.syncoptions.ldap2ad_user.unicodePwd.create_value =
AD.getUnicodePwd(SecurityUtils.decrypt(srcBean.getAttributeValueById("attri
buteForPwd")))
The attribute "attributeForPwd" is created from a perl script, with the
Crypt::OpenSSL::AES module. The SecurityUtils.decrypt raises an exception,
without any message.
I am not a Java expert, I don't know how the bouncycastle.org security
use Crypt::OpenSSL::AES;
...
open (CLE, "</path/to/secret-key-file");
my $cle = <CLE>;
close (CLE);
...
my $aes = Crypt::OpenSSL::AES->new($cle);
$pass_crypt = $aes->encrypt(sprintf("%16s", $pass));
(Note 1 : the jey is 32 bytes long.
Note 2 : I add extra spaces to the password, I still have to remove then in
the javascript code)
Is it compatible with SecurityUtils.decrypt ? Do I have to use something
else to crypt the password (CBC ??) ?
Any hint would be valuable ! Thank you.
Answering to myself :

I didn't manage to encrypt the password with perl, I now encrypt the password
with some Java code, using the Bouncy Castle security provider, and it works.

Two things worth noting :

1) I had to install the "unrestricted policy files" for Java to be able to use
256 bits keys

2) LSC expects the encoded password to be retrieved from LDAP base 64 encoded.
So, when storing it, it must be base64 encoded before being given to LDAP
--
Xavier Montagutelli Tel : +33 (0)5 55 45 77 20
Service Commun Informatique Fax : +33 (0)5 55 45 75 95
Universite de Limoges
123, avenue Albert Thomas
87060 Limoges cedex
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
http://lists.lsc-project.org/listinfo/lsc-users
Jonathan Clarke
2010-09-10 15:24:15 UTC
Permalink
Hi Xavier,
Post by Xavier Montagutelli
I didn't manage to encrypt the password with perl, I now encrypt the password
with some Java code, using the Bouncy Castle security provider, and it works.
1) I had to install the "unrestricted policy files" for Java to be able to use
256 bits keys
2) LSC expects the encoded password to be retrieved from LDAP base 64 encoded.
So, when storing it, it must be base64 encoded before being given to LDAP
Thanks for these useful notes. I've added them to the documentation at
Post by Xavier Montagutelli
http://lsc-project.org/wiki/documentation/1.2/configuration/syncoptions/security
I would have thought it was possible to use another implementation of
whatever encryption algorithm, like yours in Perl. Did you get it
working, while storing in base64?

Do you feel that using base64 should be optional? It could be a
configuration item, for example.

Jonathan
--
--------------------------------------------------------------
Jonathan Clarke - ***@phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
http://lists.lsc-project.org/listinfo/lsc-users
Loading...