Password encryption

For password encryption, we use the AES-GCM algorithm without Padding AES/GCM/NoPadding.

GCM is a block cipher mode of operation that provides both confidentiality and data origin authentication. By default, GCM authenticated encryption operation has four inputs:

• secret key
• initialization vector (IV)
• plaintext
• additional authenticated data (AAD) (optional not needed in our case).

Secret key - a piece of information or parameter that is used to encrypt and decrypt messages

The key can be generated by using openssl, example:

$ openssl aes-256-cbc -k secret -P -md sha1

salt=B6DDBE4EEAAEA8E4
key=C4B6150B28D655A64BFD2B01A0795770F495B1D07545CE82145CF7CEC0285986
iv =E7A4713DFBBE38CADA40170F0D34BCEC

If a user's password is sent to API or with a SAML request, it must be encrypted and encoded with Base64 algorithm.

CIM API configuration accepts hexadecimal representation of 128, 192, and 256 bit keys with hex: prefix. In most cases, the client implementation will skip the hex: prefix and use a direct binary representation of the hex key.

Initialization Vector (IV) - Randomly generated eight octet length.

IV cannot repeat for the same key; it should be newly generated for any new message.

plaintext data that should be encrypted

For detailed information about AES-GCM please read this RFC specification

Examples:

This chapter shows examples in various languages of simple encryption/decryption of a user's password.

• Java implementation example
• C# implementation example
• PHP implementation example