[cisco-voip] DRS Backup Decrypter - Need Help

Pete Brown jpb at chykn.com
Fri Mar 18 18:04:07 EDT 2016 

I usually wouldn't ask for help on this, but I've run into a road block updating the DRS Backup Decrypter to be fully compatible with recent UCOS releases.  The file decryption works, but not the "Guess Cluster Security Password" function.  UCOS versions released in the last year or so started using a new hashing algorithm on the encrypted cluster security password when running backups.  They were using PBEWithMD5AndDES but switched to PBEWithHmacSHA1AndDESede.  The problem is that I can't find a direct .NET replacement for this algorithm.

The PBKDF2WithHmacSHA1 algorithm gives near identical output to PBEWithHmacSHA1AndDESede and does have a direct .NET replacement, Rfc2898DeriveBytes.  It almost looks like PBEWithHmacSHA1AndDESede is generating the same output as PBKDF2WithHmacSHA1 but also applying a XOR mask to the LSB of each output byte after the last iteration.  My first thought was that it was performing a 3DES encryption afterwards, but that should affect more than just the LSB of each byte.  Here are sample outputs from hashing two different passwords.

Hashing password "testpassword1"
Results after 1024 iterations...
Secret key encoded PBEWithHmacSHA1AndDESede: EA914F4C49311C6E9D57EAE0EAD0B03170EFA7E3ECF86189
Secret key encoded PBKDF2WithHmacSHA1      : EB914E4C49311C6F9D57EAE1EBD1B13071EEA7E3EDF96088

Hashing password "testpassword2"
Results after 1024 iterations...
Secret key encoded PBEWithHmacSHA1AndDESede: 49B0F2DCF2434C239240F4078FEF6BAE34C43B6E910E4C1A
Secret key encoded PBKDF2WithHmacSHA1      : 49B0F3DCF2434D229340F5078FEE6AAE34C43B6E900E4D1B

If anyone knows a guy who knows a guy with experience in this area, please feel free to send them my way.  I'd like to spend more time and solve this one on my own, but I've been working on this quite a bit lately and ignoring my "domestic duties".  Wife and I had our 14th anniversary this week; I'd really like to make it to 15!  Any help figuring out the hashing issue is definitely appreciated.

Thanks,
Pete
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20160318/824d13cc/attachment.html>

More information about the cisco-voip mailing list