[cisco-voip] DRS Backup Decrypter Workaround - Need Input

[Brian Meade]

I'd probably use it less.  Right now, I use it for almost every project to
verify cluster security passwords.

I'd probably have to make this more of a last resort in that case and make
sure to get sign-off from the customer.

On Tue, Sep 26, 2017 at 10:38 AM, Pete Brown <jpb at chykn.com> wrote:

> I could use some public input regarding the next release of the DRS Backup
> Decrypter.  In a nutshell, the application will have to be online in order
> to decrypt backup sets from newer UCOS versions.
>
> Last year Cisco started patching DRS with a new algorithm (
> PBEWithHmacSHA1AndDESede) to encrypt the random backup passwords.  I
> haven't been able to find a .NET implementation of this algorithm.  The
> only workaround I've come up with is to have the DRS Backup Decrypter make
> a call to a Java webservice that can perform the decryption.
>
> The problems with this approach are pretty obvious.  Aside from having to
> be online, the encrypted cluster security password and 'EncryptKey' from a
> backup set will need to be submitted to a web service that I've written for
> decryption.  I can publish a public copy of this webservice, but for those
> behind corporate proxies (myself included), the code could be made
> available to run the service within their own networks.  In that case the
> DRS Backup Decrypter would be pointed to the internal copy of the
> webservice.
>
> I personally detest utilities that can't operate offline, but it's the
> only workaround I can come up with at this point.  So my question is this -
> would anyone actually use it given the webservice dependency?
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20170926/91f78b2d/attachment.html>