For password encryption we use
AES-GCM algorithm without Padding
GCM is a block cipher mode of operation providing both confidentiality and data origin authentication. By default GCM authenticated encryption operation has four inputs:
- secret key
- initialization vector (IV)
- additional authenticated data (AAD) (optional not needed in our case).
Secret key - piece of information or parameter that is used to encrypt and decrypt messages
Key can be generated by using openssl, example:
$ openssl aes-256-cbc -k secret -P -md sha1 salt=B6DDBE4EEAAEA8E4 key=C4B6150B28D655A64BFD2B01A0795770F495B1D07545CE82145CF7CEC0285986 iv =E7A4713DFBBE38CADA40170F0D34BCEC
If a password of a user is sent to API or with SAML request, it must be encrypted and encoded with
CIM API configuration accepts hexadecimal representation of 128, 192 and 256 bit keys with
Client implementation in most of cases will skip
hex: prefix. And use direct binary representation of hex key.
Initialization Vector (IV) - Randomly generated eight octet length.
IV cannot repeat for same key, should be newly generated for any new message.
plaintext data that should be encrypted
For detailed information about
AES-GCM please read this RFC specification
This chapter shows examples in various languages of simple encryption/decryption of user password.