[cisco-voip] DRS Backup Decrypter Workaround - Need Input

Wed Sep 27 10:47:04 EDT 2017

(sorry, replied to Stephen but forgot to Reply All to include the list)

Stephen,

Thanks again for the great advice; I'm going that route.  I was able to get an updated version of the DRSD working with newer backups by using a Java app.  Using IKVM has proved a little trickier since the new algorithm requires a security provider in cryptojFIPS.jar.  Unfortunately there are security checks in that JAR's classes which check for the container name at runtime.  If they're repacked into another JAR, they fail to execute.  I may go back and play with that later, but for now the Java app on the local host will suffice.

Thanks,

Pete

________________________________
From: Stephen Welsh <stephen.welsh at unifiedfx.com>
Sent: Tuesday, September 26, 2017 9:51 AM
To: Pete Brown
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] DRS Backup Decrypter Workaround - Need Input

Hi Pete,

Would it not be better to create a small Java application that takes the encrypted content and returns the decrypted content (possibly passing in a file and creating a new file with the decrypted content?).

You can also compile Java to a .Net DLL using (https://www.ikvm.net), so you can call it directly without passing files backward/forward.
IKVM.NET Home Page<https://www.ikvm.net/>
www.ikvm.net
IKVM.NET is an implementation of Java for Mono and the Microsoft .NET Framework. It includes the following components: A Java Virtual Machine implemented in .NET

Kind Regards

Stephen Welsh
CTO

[cid:CBBF0493-235C-43D2-A874-9FB3D95AF598 at b2.unifiedfx.com]

On 26 Sep 2017, at 15:38, Pete Brown <jpb at chykn.com<mailto:jpb at chykn.com>> wrote:

I could use some public input regarding the next release of the DRS Backup Decrypter.  In a nutshell, the application will have to be online in order to decrypt backup sets from newer UCOS versions.

Last year Cisco started patching DRS with a new algorithm (PBEWithHmacSHA1AndDESede) to encrypt the random backup passwords.  I haven't been able to find a .NET implementation of this algorithm.  The only workaround I've come up with is to have the DRS Backup Decrypter make a call to a Java webservice that can perform the decryption.

The problems with this approach are pretty obvious.  Aside from having to be online, the encrypted cluster security password and 'EncryptKey' from a backup set will need to be submitted to a web service that I've written for decryption.  I can publish a public copy of this webservice, but for those behind corporate proxies (myself included), the code could be made available to run the service within their own networks.  In that case the DRS Backup Decrypter would be pointed to the internal copy of the webservice.

I personally detest utilities that can't operate offline, but it's the only workaround I can come up with at this point.  So my question is this - would anyone actually use it given the webservice dependency?
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20170927/624b57a7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1364 bytes
Desc: image003.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20170927/624b57a7/attachment.png>