Help enabling AES 256-bit cipher suites

Similar Messages

• CF9 Encrypt with AES 256-bit, example anyone?

  Hi there. I'm looking for a working example of  the Encrypt method using the AES 256 bit key.  I think that I have the Unlimited Strength Jurisdiction Policy Files enabled.  And I'm still getting the CFError,
  The key specified is not a valid key for this encryption: Illegal key size. 
  Now i hit the wall, can't get it.  What wrong am i doing?  How can I verify that the policy files are installed and accessible to my cf file?  Any help is greatly appreciated.
  <cfset thePlainText  = "Is this working for me?" />
  Generate Secret Key (128):  <cfset AES128 = "#generatesecretkey('AES',128)#" /> <cfdump var="#AES128#"><BR>
  Generate Secret Key (192):  <cfset AES192 = "#generatesecretkey('AES',192)#" /> <cfdump var="#AES192#"><BR>
  Generate Secret Key (256):  <cfset AES256 = "#generatesecretkey('AES',256)#" /> <cfdump var="#AES256#"><BR><BR>
  <cfset theKey    = AES256 />
  <cfset theAlgorithm  = "AES/CBC/PKCS5Padding" />
  <cfset theEncoding  = "base64" />
  <cfset theIV    = BinaryDecode("6d795465737449566f7253616c7431323538704c6173745f", "hex") />
  <cfset encryptedString = encrypt(thePlainText, theKey, theAlgorithm, theEncoding, theIV) />
  <!--- Display results --->
  <cfset keyLengthInBits  = arrayLen(BinaryDecode(theKey, "base64")) * 8 />
  <cfset ivLengthInBits  = arrayLen(theIV) * 8 />
  <cfdump var="#variables#" label="AES/CBC/PKCS5Padding Results" />
  <cfabort>

  Verison 10 is different from 9 because they run on different servlet containers. CF 10 uses Tomcat, CF 9 uses JRun, so things are in different places.
  \\ColdFusion10\jre\lib\security seems like the correct locaiton for the policy files to me. I actually gave you the wrong locations in my original post (sorry about that).  According to the installation instructions they belong in <java-home>\lib\security, which is looks like you've found.
  So something else is wrong. Here are some things to look at, in no particular order:
  1. Are you using a JVM other than the Java 1.6 that comes with CF10?
  2. Did you restart Tomcat after coping the files in?
  3. Note that I keep saying FILES, did you copy BOTH of th .jar files from the JCE folder you unzipped into the security directory.  It should have prompted you to overwrite existing files.
  4. Did you try unzipping the files and copying them in again, on the chance that they did not overwrite the originals?
  Sorry, I don't have CF10 installed to give this a try. But I have no reason to believe that it would not work in 10. It's all just JCA/JCE on the underlying JAVA, and I have heard no reports from anyone else that it doesn't work.
  Jason

• AIR-AP1131AG-I-K9 support AES 256 bit ?

  hi,
  I have several AP devices:
  Product/Model Number: AIR-AP1131AG-I-K9
   System Software Filename: c1130-k9w7-tar.124-3g.JA
   System Software Version: 12.4(3g)JA
  Bootloader Version: 12.3(8)JEA
  i need to know if  AES 256 bit is supported by this devices and if the current software need to upgrade for that.
  Regards,

  HI Ben,
  As per my knowledge this Software dont support 256 bit key size.
  Here is the link:http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-4_3g_JA/configuration/guide/ios1243gjaconfigguide/s43wep.html
  another version: 12.3(8)JA supports 256 bit key size to protect data traffic,
  http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-3_8_JA/configuration/guide/1238jasc/s38wep.html
  Regards
  Don't forget to rate helpful posts

• Generating AES 256 bit key using seed

  Hi
  As part of encryption requirements for encrypting the body of the SOAP Message while calling an external Web Service, it is requried to encrypt using a shared symmetric key.
  First step is to create a password digest
  Base64(sha1(nonce + createdTimestamp + password)) - This step is working completely fine and produces a 160 bit Hash
  The next step is to generate an AES 256 bit key using the above hash as the Seed. This should generate a 256 bit encrytpion key which can then be used to encrypt the message body.
  Would appreciate if anyone who knows how to generate AES 256 bit key using a hash seed in Java (v1.4.2) can provide some guidance.
  P:S. I am using WSS4J API to use WS-Security

  I have to generate 256-bit AES key with a 128-bit IV using the above password digest and the IV used for in the creation of the AES key prefixes the cipher text.
  The external WebService is .net webservice.
  Edited by: GUPTAG on Nov 25, 2008 3:05 AM

• Windows 8.1 Pro Bitlocker AES 256-bit cypher question

  Hi, all
  Have an odd situation I cannot make any sense of. I have a desktop PC running Windows 8.1 Pro. I launched gpedit.msc and changed Bitlocker’s cypher strength from the default AES 128-bit to AES 256-bit.
  I then connected a brand new Western Digital 4TB external drive (model WDBFJK0040HBK-04) to the PC via USB 3.0, and Bitlocker-encrypted the drive. Opened a command prompt window as administrator, ran “manage-bde –status” for the drive in question,
  which indicated the drive was encrypted with the 128 bit cypher strength, instead of 256 bits, as I had selected. Have unencrypted, rebooted and re-encrypted the drive time and again, always with the same results.
  When connecting the same external 4TB drive to a Windows Server 2012 R2 Essentials in which I had made the exact same changes via gpedit.msc,
  I can encrypt it with the 256-bit cypher strength, with no problems.
  No TPM is used in either scenario, just a passphrase.
  Anyone has any idea why my 256-bit setting is being ignored in the Windows 8.1 Pro machine?
  Thanks
  Arsene
  ArseneL

  Well, running rsop.msc in my Server 2012 R2 machine does show my 256-bit bitlocker setting took, however, running rsop.msc in my Win 8.1 Pro machine shows it did not, which explains the problem I am having.
  Now all I have to do is find out why my request is not taking, even though I am logged in as an admin.
  Thanks!!
  ArseneL

• About Hardware encryption AES 256 bit crucial mx100

  My question works it automatically or works the hardware encryption windows only ?
  because not sure is it safe enough and also about speed.
  sorry for my terrible English. You can answer in German and English thanks.
  Meine Frage ist ... ob die Hardware Verschlüsselung automatisch vom Controller crucial mx100 gesteuert wird oder funktioniert es nur unter Windows ?
  es muss ich filevault benutzen um die Daten zu schützen ?

  Hardware encryption is a feature of SSD's. It is transparent to the user and you don't have to do anything to enable it. The data on the SSD is encrypted with a random key. When you erase the device, the key is destroyed. You can't use hardware encryption to protect your data from theft. For that, use FileVault.

• Aes-256 or aes-128 bit

  Hello
  I'm trying to keep the CPU down as much as possible on my ASA-5540. We're running 8.2.5 on it. We have a bout 80 active IPSec tunnels so far, all which are using AES-256 bit for phase1/2, 75 of the tunnels are mostly ezy vpn connections. Currently the CPU during peak usage is averaging around 22%.  We're planning on having over 1000 IPsec connections, mostly will be remote vpn access with about 170 of them ezy vpn and 250 l2l tunnels.
  Is there any noticable CPU performance gain by using AES-128 bit instead of AES-256 on the phase2?
  Thanks,
  John

  Just wondering if someone out there has noticed any performance gains by using AES-128 instead of AES-256. I'm trying standardize on a policy going forward.
  Thanks!

• How to add a Cipher Suite using RSA 1024 algorithm to the 'SSL Cipher Suite Order' GPO

  Following a VA test the Default Domain GPO has been set to enable the SSL Cipher Suite Order.  Following the change Symantec Endpoint Protection Manager doesn't work properly as the the Home, Monitors and Reports pages are blank and an Schannel error is
  logged in the SEPM server's event log.
  I have spoken to Symantec and I have been told that we need to allow the RSA 1024 bit algorithm but they can't tell me which cipher suite this would be.  I have looked in the GPO setting and can't see an RSA 1024 suite but have found some in this article:
  http://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01
  I want to know how to add an additional cipher suite into the setting safely.  Am I able to just add the suite into the GPO setting (eg TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA) or do I need to do anything else beforehand?
  If anyone has any advice regarding this or cipher suite orders and troubleshooting SSL problems it would be much appreciated,
  Thanks
  Chris

  Hi Chris,
  Based on my research, RSA_EXPORT1024_DES_CBC_SHA is a previous cipher suite, which is supported, you can enable it use
  SSL Cipher Suite Order policy setting under Administrative Templates\Network\SSL Configuration Settings.
  More information for you:
  TLS/SSL Cryptographic Enhancements
  http://technet.microsoft.com/en-us/library/cc766285(v=WS.10).aspx
  Best Regards,
  Amy

• Cannot download Flash Player for IE9, 256-bit

  Help!

  You are being very vague with your help request.
  256-bit refers to the cipher strength of the web browser, not the version type (32-bit or 64-bit version).
  Please tell us...
  1) which Operating System you are using
  2) which steps you are taking to launch Internet Explorer
  3) which steps you are taking to download and install Flash Player and which version of Flash Player you are trying to install (and from which website)

• CSS 11503 SSL termination and 256 bit support

  Does anyone know if the CSS11503 can support 256 bit SSL termination?

  switch/Admin(config-parammap-ssl)# cipher ?
  RSA_EXPORT1024_WITH_DES_CBC_SHA Accept RSA_EXPORT1024_WITH_DES_CBC_SHA cipher
  RSA_EXPORT1024_WITH_RC4_56_MD5 Accept RSA_EXPORT1024_WITH_RC4_56_MD5 cipher
  RSA_EXPORT1024_WITH_RC4_56_SHA Accept RSA_EXPORT1024_WITH_RC4_56_SHA cipher
  RSA_EXPORT_WITH_DES40_CBC_SHA Accept RSA_EXPORT_WITH_DES40_CBC_SHA cipher
  RSA_EXPORT_WITH_RC4_40_MD5 Accept RSA_EXPORT_WITH_RC4_40_MD5 cipher
  RSA_WITH_3DES_EDE_CBC_SHA Accept RSA_WITH_3DES_EDE_CBC_SHA cipher
  RSA_WITH_AES_128_CBC_SHA Accept RSA_WITH_AES_128_CBC_SHA cipher
  RSA_WITH_AES_256_CBC_SHA Accept RSA_WITH_AES_256_CBC_SHA cipher
  RSA_WITH_DES_CBC_SHA Accept RSA_WITH_DES_CBC_SHA cipher
  RSA_WITH_RC4_128_MD5 Accept RSA_WITH_RC4_128_MD5 cipher
  RSA_WITH_RC4_128_SHA Accept RSA_WITH_RC4_128_SHA cipher
  The following 256 bits cipher is already supported :
  RSA_WITH_AES_256_CBC_SHA
  Gilles.

• Need 256 Bit AES Full Disk Encryption for a Mac.  The other discussions regarding this issue are very old.  Does anyone have any current advice regarding encryption software?

  Does anyone have any advice regarding 256 bit full disk encryption software for Macs?  The other discussions on the topic are years old, so I would like some current input.  Thanks for your help in advance.

  Depending on your Mac, you might not want to upgrade to OS X 10.7 or 10.8 as it will not run the PowerPC based software your currently using costing a bundle to replace it all, also they will slow down your machine if it's not a more recent issue. You don't want to upgrade OS X without AppleCare defending your possibly bricked logicboard that's for sure.
  Filevault encrypts the boot drive, however in doing so makes it near impossible to fix if you have a software issue and need to recover files directly or by using specialty software. Also it robs the machine of performance even more than the Lions do. So you will really need a SSD to work best with 10.7/10.8 and Filevault, then it has to be freshly installed. Filevault needs 50% free space on the boot drive, then it's going to write to the slower 50% half of the hard drive where performance is terrible compared to the first 50%.
  Also Filevault is cracked under certain conditions, and if someone gets their hands on the machine (like the law) and knows what they are doing.
  If you take your Filevaulted machine to Apple to fix, they are going to require the password to fix the machine obviously.
  Software based encryption is vulnerable, you might want to instead place your sensitive data on external self-encrypting hardware that doesn't rely upon software or computer hacks/bypasses (ike freezing the RAM) to get to it.
  http://www.datalocker.com/products/datalocker-dl3.html
  Iron Keys for portable USB self encryption, both work with any computer, so your not locked into one platform.
  With the senstive data off the computer and on a external device, there is the option of removing, hiding and securing the device. If used with a computer that's never connected to the Internet, it's safe from snoopers, except from a survelliance van parked outside your door.

• Why in Firefox there are no cipher suits with SHA-256?

  I don't see cipher suits with SHA-256 in Firefox ClientHello. Why? They are not supported?

  I think that it is best to keep the discussion in one thread, so I locking the other two that you created.
  Please continue here: [[/questions/976999]]

• If you add 2x1 gig to the base config, do you enable 256-bit addressing?

  I can't seem to find a definitive answer to this anywhere...do all four RAM modules need to be "matched" for 256-bit addressing to be working, or will the 256-bit addressing work with 2x512mb + 2x1gb?
  Is there any way to verify the addressing on a Mac Pro? System Profiler doesn't seem to do this, does any other software let you check the addressing?

  This is looking more complicated than most RAM situations I've dealt with
  It's actually not. It's rather simple really… if you can saturate 3GB (2 x 1GB + 2 x512MB) then the performance of your system will always be better than if it had 2GB (4 x 512MB). If that's what you can afford then that is best.
  Basically what you are doing is over complicating things by doing the constant "what if" thought. As with any other system, more RAM is better if your needs and usage will saturate that RAM.
  Personally I'll be going to 5GB (2 x 1GB + 6 x 512MB) with an intermediate step to 3GB (6 x 512MB) having started with 2GB from Apple.

• Encrypt/decrypt AES 256, vorsalt error

  Hiyas.
  So I'm trying to get encrypt/decrypt to work for AES 256, with both 32byte key and 32byte IVorSalt. (Yup-new java security files v6 installed)
  'IF' I 32byte key but dont use a IV at all, I get a nice looking AES 256 result. (I can tell it's AES 256 by looking the length of the encrypted string)
  'IF' I use a 32byte key and 16bit salt, I get a AES 128 result (I know- as per docs theyre both s'posed to the same size, but the docs are wrong).
  But when i switch to using both a 32byte key AND a 32byte salt I get the error below.
  An error occurred while trying to encrypt or decrypt your input string: Bad parameters: invalid IvParameterSpec: com.rsa.jsafe.crypto.JSAFE_IVException: Invalid IV length. Should be 16.
  Has anyone 'EVER' gotten encrypt to work for them using AES 256 32byte key and 32byte salt? Is this a bug in CF? Or Java? Or I am doing something wrong?
  <!--- ////////////////////////////////////////////////////////////////////////// Here's the Code ///////////////////////////////////////////////////////////////////////// --->
  <cfset theAlgorithm  = "Rijndael/CBC/PKCS5Padding" />
  <cfset gKey = "hzj+1o52d9N04JRsj3vTu09Q8jcX+fNmeyQZSDlZA5w="><!--- these 2 are the same --->
  <!---<cfset gKey = ToBase64(BinaryDecode("8738fed68e7677d374e0946c8f7bd3bb4f50f23717f9f3667b2419483959039c", "Hex"))>--->
  <cfset theIV    = BinaryDecode("7fe8585328e9ac7b7fe8585328e9ac7b7fe8585328e9ac7b7fe8585328e9ac7b","hex")>
  <!---<cfset theIV128    = BinaryDecode("7fe8585328e9ac7b7fe8585328e9ac7b","hex")>--->
  <cffunction    name="DoEncrypt" access="public" returntype="string" hint="Fires when the application is first created.">
      <cfargument    name="szToEncrypt" type="string" required="true"/>
      <cfset secretkey = gKey>               
      <cfset szReturn=encrypt(szToEncrypt, secretkey, theAlgorithm, "Base64", theIV)>
      <cfreturn szReturn>
  </cffunction>   
  <cffunction    name="DoDecrypt" access="public" returntype="string" hint="Fires when the application is first created.">
      <cfargument    name="szToDecrypt" type="string" required="true"/>
      <cfset secretkey = gKey>   
      <cfset szReturn=decrypt(szToDecrypt, secretkey, theAlgorithm, "Base64",theIV)>       
      <cfreturn szReturn>
  </cffunction>
  <cfset szStart = form["toencrypt"]>
  <cfset szStart = "Test me!">
  <cfset szEnc = DoEncrypt(szStart)>
  <cfset szDec = DoDecrypt(szEnc)>
  <cfoutput>#szEnc# #szDec#</cfoutput>

  Hi edevmachine,
  This Bouncy Castle Encryption CFC supports Rijndael w/ 256-bit block size. (big thanks to Jason here and all who helped w/ that, btw!)
  Example:
  <cfscript>
    BouncyCastleCFC = new path.to.BouncyCastle();
    string = "ColdFusion Rocks!"; 
    key = binaryEncode(binaryDecode(generateSecretKey("Rijndael", 256), "base64"), "hex");//the CFC takes hex'd key
    ivSalt = binaryEncode(binaryDecode(generateSecretKey("Rijndael", 256), "base64"), "hex");//the CFC takes hex'd ivSalt
    encrypted = BouncyCastleCFC.doEncrypt(string, key, ivSalt);
    writeOutput(BouncyCastleCFC.doDecrypt(encrypted, key, ivSalt));
  </cfscript>
  Related links for anyone interested in adding 256-bit block size Rijndael support into ColdFusion:
  - An explanation of how to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files into ColdFusion
  - An explanation of how to install the Bouncy Castle Crypto package into ColdFusion (near bottom, under the "Installing additional security providers" heading)
  - An explanation of how to connect the Bouncy Castle classes together
  - Bouncy Castle's doc for the Rijndael Engine
  And here is the full CFC as posted in the StackOverflow discussion:
  <cfcomponent displayname="Bounce Castle Encryption Component" hint="This provides bouncy castle encryption services" output="false">
  <cffunction name="createRijndaelBlockCipher" access="private">
      <cfargument name="key" type="string" required="true" >
      <cfargument name="ivSalt" type="string" required="true" >
      <cfargument name="bEncrypt" type="boolean" required="false" default="1">
      <cfargument name="blocksize" type="numeric" required="false" default=256>
      <cfscript>
      // Create a block cipher for Rijndael
      var cryptEngine = createObject("java", "org.bouncycastle.crypto.engines.RijndaelEngine").init(arguments.blocksize);
      // Create a Block Cipher in CBC mode
      var blockCipher = createObject("java", "org.bouncycastle.crypto.modes.CBCBlockCipher").init(cryptEngine);
      // Create Padding - Zero Byte Padding is apparently PHP compatible.
      var zbPadding = CreateObject('java', 'org.bouncycastle.crypto.paddings.ZeroBytePadding').init();
      // Create a JCE Cipher from the Block Cipher
      var cipher = createObject("java", "org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher").init(blockCipher,zbPadding);
      // Create the key params for the cipher    
      var binkey = binarydecode(arguments.key,"hex");
      var keyParams = createObject("java", "org.bouncycastle.crypto.params.KeyParameter").init(BinKey);
      var binIVSalt = Binarydecode(ivSalt,"hex");
      var ivParams = createObject("java", "org.bouncycastle.crypto.params.ParametersWithIV").init(keyParams, binIVSalt);
      cipher.init(javaCast("boolean",arguments.bEncrypt),ivParams);
      return cipher;
      </cfscript>
  </cffunction>
  <cffunction name="doEncrypt" access="public" returntype="string">
      <cfargument name="message" type="string" required="true">
      <cfargument name="key" type="string" required="true">
      <cfargument name="ivSalt" type="string" required="true">
      <cfscript>
      var cipher = createRijndaelBlockCipher(key=arguments.key,ivSalt=arguments.ivSalt);
      var byteMessage = arguments.message.getBytes();
      var outArray = getByteArray(cipher.getOutputSize(arrayLen(byteMessage)));
      var bufferLength = cipher.processBytes(byteMessage, 0, arrayLen(byteMessage), outArray, 0);
      var cipherText = cipher.doFinal(outArray,bufferLength);
      return toBase64(outArray);
      </cfscript>
  </cffunction>
  <cffunction name="doDecrypt" access="public" returntype="string">
      <cfargument name="message" type="string" required="true">
      <cfargument name="key" type="string" required="true">
      <cfargument name="ivSalt" type="string" required="true">
      <cfscript>
      var cipher = createRijndaelBlockCipher(key=arguments.key,ivSalt=arguments.ivSalt,bEncrypt=false);
      var byteMessage = toBinary(arguments.message);
      var outArray = getByteArray(cipher.getOutputSize(arrayLen(byteMessage)));
      var bufferLength = cipher.processBytes(byteMessage, 0, arrayLen(byteMessage), outArray, 0);
      var originalText = cipher.doFinal(outArray,bufferLength);
      return createObject("java", "java.lang.String").init(outArray);
      </cfscript>
  </cffunction>
  <cfscript>
  function getByteArray(someLength)
      byteClass = createObject("java", "java.lang.Byte").TYPE;
      return createObject("java","java.lang.reflect.Array").newInstance(byteClass, someLength);
  </cfscript>
  </cfcomponent>
  Thanks!,
  -Aaron

• Schannel cipher suites and ChaCha20

  Is there a blog or other communications channel devoted to the PKI internals of Windows? Most security researchers focus on Linux web servers/OpenSSL, but there are folks in the Windows world who really care about this stuff too, and we'd like to hear
  about what the Windows PKI developers are working on and planning, and perhaps interact with comments and suggestions.
  Because I couldn't find any discussion about Schannel development, I started a
  feature suggestion on the Windows User Voice site for Microsoft to add ChaCha20-Poly1305 cipher suites to Schannel, mostly for the benefit of mobile visitors to IIS websites, but also to help Windows phones and tablets that don't have integrated CPU extensions
  for GCM encryption (improved speed and reduced power consumption).
  It's frustrating to be a security-focused IIS website administrator. Schannel is a "black box" that we can't tinker with or extend ourselves, and support for modern ciphers has been lagging behind other website and client software (it looks like we'll
  at least finally get strong and forward secret ECDHE_RSA + AES + GCM suites with Windows 10 and Server vNext/2016). The methods for configuring cipher suite orders and TLS versions could really use a rethink too (thank goodness for IISCrypto).

  Hi Jamie_E,
  May the following article can help you,
  Cipher Suites in Schannel
  http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757%28v=vs.85%29.aspx
  Managing SSL for a Client Access Server
  http://technet.microsoft.com/en-us/library/bb310795.aspx
  Configuring Secure Sockets Layer in IIS 7
  http://technet.microsoft.com/en-us/library/cc771438(WS.10).aspx
  How to enable Schannel event logging in IIS
  https://vkbexternal.partners.extranet.microsoft.com/VKBWeb/?portalId=1#
  How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
  http://support.microsoft.com/kb/245030/EN-US
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]