Weak cipher blocking in ACE20

Similar Messages

• SSL Weak Cipher

  We have a new security product that has detected SSL Weak Cipher strengths. I have been going round and round trying to figure out what the issue might be.
  What I am down to is a config option with the OpenSSL. It appears it reads the SSL Cipher strengths from the vhost-ssl.conf file in the \etc\apache2\vhosts.d directory.
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSL v2:+EXP:+eNULL
  The above is the default string. I have changed it as follows to eliminate the weak SSLv2.
  SSLCipherSuite ALL:!ADH:!EXport56:RC4+RSA:+HIGH:+MEDIUM:+SSLv3:+E XP:+eNULL:-SSLv2
  The problem is the server still comes back support encryption less than 128 bit. What options do I need to change to fix this issue?

  IS this an OES1 or OES2 server? On what port is the weak cipher being used? When you installed your server, did you enable the option to use certificates from eDirectory?

• OEM weak cipher support

  Hello,
  If a box running Oracle is scanned with a vulnerability scanner it finds many vulnerabilities of weak SSL ciphers supported.
  TCP:1158 - DES-CBC-SHA (SSLv3) - SSL Weak Cipher Supported
  TCP:1158 - DES-CBC-SHA (TLSv1) - SSL Weak Cipher Supported
  TCP:1158 - EDH-RSA-DES-CBC-SHA (SSLv3) - SSL Weak Cipher Supported
  TCP:1158 - EDH-RSA-DES-CBC-SHA (TLSv1) - SSL Weak Cipher Supported
  TCP:1158 - EXP-DES-CBC-SHA (SSLv3) - SSL Weak Cipher Supported
  TCP:1158 - EXP-DES-CBC-SHA (TLSv1) - SSL Weak Cipher Supported
  TCP:1158 - EXP-EDH-RSA-DES-CBC-SHA (SSLv3) - SSL Weak Cipher Supported
  TCP:1158 - EXP-EDH-RSA-DES-CBC-SHA (TLSv1) - SSL Weak Cipher Supported
  TCP:1158 - EXP-RC4-MD5 (SSLv3) - SSL Weak Cipher Supported
  TCP:1158 - EXP-RC4-MD5 (TLSv1) - SSL Weak Cipher Supported
  TCP:1158 - DES-CBC-SHA (SSLv3) - SSL Weak Cipher Strength Supported
  TCP:1158 - DES-CBC-SHA (TLSv1) - SSL Weak Cipher Strength Supported
  TCP:1158 - EDH-RSA-DES-CBC-SHA (SSLv3) - SSL Weak Cipher Strength Supported
  TCP:1158 - EDH-RSA-DES-CBC-SHA (TLSv1) - SSL Weak Cipher Strength Supported
  TCP:1158 - EXP-DES-CBC-SHA (SSLv3) - SSL Weak Cipher Strength Supported
  TCP:1158 - EXP-DES-CBC-SHA (TLSv1) - SSL Weak Cipher Strength Supported
  TCP:1158 - EXP-EDH-RSA-DES-CBC-SHA (SSLv3) - SSL Weak Cipher Strength Supported
  TCP:1158 - EXP-EDH-RSA-DES-CBC-SHA (TLSv1) - SSL Weak Cipher Strength Supported
  TCP:1158 - EXP-RC4-MD5 (SSLv3) - SSL Weak Cipher Strength Supported
  TCP:1158 - EXP-RC4-MD5 (TLSv1) - SSL Weak Cipher Strength Supported
  TCP:1158 - (512) - SSL Certificate Weak Public Key Strength
  How can I lock down the local OEM to only TLS high ciphers?
  Thanks
  Matt

  I think that this was included as a reference in the doc that Eric had linked.
  -- Restricting access to console with https only
  $OMS_HOME/bin/emctl stop oms
  $OMS_HOME/bin/emctl secure lock -console
  $OMS_HOME/bin/emctl start oms
  -- Forcing the protocol to be TLSv1 only
  $OMS_HOME/bin/emctl stop oms
  $OMS_HOME/bin/emctl secure oms -protocol TLSv1
  cd /oracle/gc_inst/user_projects/domains/GCDomain/bin
  cp startEMServer.sh startEMServer.sh_backup
  vi startEMServer.sh
  -- add this option to JAVA_OPTIONS line in the file
  -Dweblogic.security.SSL.protocolVersion=TLS1
  $OMS_HOME/bin/emctl start oms
  -- Recreate the certificate with higher key strength
  $OMS_HOME/bin/emctl secure createca -sysman_pwd your_sysman_password -key_strength 1024 -cert_validity 3650
  I included a couple of additional steps. We are also having to implement additional security to grid control. We are still working through issues with creating a new certificate with support. After that is resolved, then we need to re-secure our agents to run on the newly created certificate & require them to use the stronger protocol. I will post the steps that we use once everything is done.
  I also included a link to a couple of the docs that assisted us.
  HTH,
  Brian
  Oracle® Enterprise Manager Administration 11g Release 1 (11.1.0.1)
  2 Enterprise Manager Security
  http://download.oracle.com/docs/cd/E11857_01/em.111/e16790/security3.htm#BABJGJAA
  Oracle Enterprise Manager Grid Control 11gRelease 1 Security Deployment–BestPractices
  http://www.oracle.com/technetwork/oem/grid-control/twp-security-best-practices-133704.pdf

• Weak cipher suites supported on WCS port 8082

  Hi
  Port 8082 is used for health monitoring in WCS, a web service is running on this port so we can login via web and check the status.
  I would like to know, is there a way to limit the cipher suite supported on this port? For port 443, this can be done by modify the Apache configuration file, however this doesn't work for 8082. The version is 5.2.148.0.
  Thanks and Regars,
  Leo

  Hi ,
  "SSL RC4 Cipher Suites Supported" has been documented in bug CSCum03709. 
  CSCum03709    PI 2.0.0.0.294 with SSH vulnerabilities
  Presently, there is no workaround for this vulnerability, however, the fix will be implemented in
  Prime Infrastructure 2.2.which is planned to be released around the end of this year ( tentative)
  Thanks-
  Afroz
  ***Ratings Encourages Contributors ***

• How to specify a cipher suit used between plugin and weblogic server?

  I install Weblogic8.1 SP3 which supports for strong cipher suits, and config an apache 2.50 server as an front end.
  I config appache to use 2 way SSL with browser and wls one way SSL with apache plugin. Then config apache to forward client certs to WLS. now the problem is, I can see that the SSL connection between browser and apache uses a strong cipher suit('SSL_RSA_WITH_RC4_128_MD5'), but the ssl connection bwtween apache plugin and WLS uses a weak cipher suit('SSL_RSA_EXPORT_WITH_RC4_40_MD5'), with the SnoopServlet, although I use the mod_wl128_20.so module. How can I increase the cipher strength of SSL between WLS and it's apache plugin?
  Thanks in advance.
  Best
  Regards
  Jean

  Hello Gunaseelan,
  This is not possible because WLS 6.1 needs a config.xml file, exactly this
  name, to start.
  What you can do is to define a recovery domain, called myrecovery_domain for
  instance, and put the config_recovery.xml, renamed "config.xml".
  Hope this helps,
  Ludovic.
  Developer Relations Engineer
  BEA Support.
  "Gunaseelan Venkateswaran" <[email protected]> a écrit dans le message
  news: 3cd6a324$[email protected]..
  >
  Hi,
  I have 2 weblogic startup scripts (startWebLogic.sh and
  startWebLogic_recovery.sh) for the same domain.
  startWebLogic.sh uses config.xml file.
  I would like to use config_recovery.xml as the configuration file forstartWebLogic_recovery.sh
  >
  >
  How would I do this ?
  I am using WebLogic Server 6.1 on SunOS 5.8 / HP-UX 11.0.
  Appreciate any help.
  Regards
  Gunaseelan Venkateswaran

• Failing PCI Compliance Scan - SSL Weak...

  Hello,
  I currently use the WRVS4400n v2 (latest update) for my small business. I store and transmit data that contains credit card information and need to be PCI compliant. Regardless of which settings I change on the router, like turning off remote management, I keep failing the scan. ControlScan uses Nessus and the results are below (2 vulnerabilities).
  I did some research and spent some time with Cisco Sales Chat and they recommended a ASA5500 only to realize that it too had the same vulnerabilities. I did more research and it seemed that the SA520w (I need wireless) would do it but I found a thread on this forum saying that a client who had the SA520w did not pass the scan failed due to SSL vulerability (need v3+ ?). The thread is at https://supportforums.cisco.com/thread./2060512
  Question: What router/appliance should I use to be PCI compliant? Three has to be something, we're talking, this is Cisco.
  Thank you in advance for your help,
  Christophe
  Threat ID: 126928
  Details:
  IP Address: XX.XXX.X.XXX
  Host: XX.XXX.X.XXX
  Path:
  THREAT REFERENCE
  Summary:
  SSL Weak Cipher Suites Supported
  Risk: High (3)
  Type: Nessus
  Port: 60443
  Protocol: TCP
  Threat ID: 126928
  Information From Target:
  Here is the list of weak SSL ciphers supported by the remote server :
  Low Strength Ciphers (< 56-bit key)
  SSLv2
  EXP-RC2-CBC-MD5            Kx=RSA(512)   Au=RSA     Enc=RC2(40)      Mac=MD5    export    
  EXP-RC4-MD5                Kx=RSA(512)   Au=RSA     Enc=RC4(40)      Mac=MD5    export    
  The fields above are :
  {OpenSSL ciphername}
  Kx={key exchange}
  Au={authentication}
  Enc={symmetric encryption method}
  Mac={message authentication code}
  {export flag}
  Solution:
  Reconfigure the affected application if possible to avoid use of weak
  ciphers.Details:
  The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.
  Threat ID: 142873
  Details:
  IP Address: XX.XXX.X.XXX
  Host: XX.XXX.X.XXX
  Path:
  THREAT REFERENCE
  Summary:
  SSL Medium Strength Cipher Suites Supported
  Risk: High (3)
  Type: Nessus
  Port: 60443
  Protocol: TCP
  Threat ID: 142873
  Information From Target:
  Here are the medium strength SSL ciphers supported by the remote server :
  Medium Strength Ciphers (>= 56-bit and < 112-bit key)
  SSLv2
  DES-CBC-MD5                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=MD5   
  SSLv3
  DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=SHA1  
  TLSv1
  DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=SHA1  
  The fields above are :
  {OpenSSL ciphername}
  Kx={key exchange}
  Au={authentication}
  Enc={symmetric encryption method}
  Mac={message authentication code}
  {export flag}
  Solution:
  Reconfigure the affected application if possible to avoid use of
  medium strength ciphers.Details:
  The remote host  supports the use of SSL ciphers that offer medium strength encryption,  which we currently regard as those with key  lengths at least 56 bits  and less than 112 bits.

  Chris,
  As i understand right now none of the Small Business router are PCI compliance ever since PCI 3.0 was released. How you overcome this; you'll need to forward any ports you are failing on to a ghost IP.. Ghost ip (any ip address that isn 't being used) If you are using those ports , then you will lose that service as the router isn't PCI 3.0 compliant.
  Jason
  I do believe the ASA5505 are PCI 3.0 Compliant.

• POODLE vulnerability

  Hi,
  I'm getting this threatening message from our admin (see below). I know this is being investigated (http://www.blackberry.com/btsc/KB36397), but they will throw my phone off the network in two days. Are there know workarounds? Why is the port 443 open anyway?
  anze
  System Name/IP : XX
  MAC Address : a4e4b80ef72b
  Owner/Admin : XX
  Last Scanned : 2014-11-04 09:58:07
  You are being contacted because you are listed as the admin/owner
  of the above system.
  ** At least one high or medium risk vulnerability remains on this system,
  and must accounted for before 2014-11-12! **
  Remediation will generally involve a combination of two approaches:
  1) Addressing the problem directly (e.g. apply vendor patches,
  disabling unnecessary services, etc.). Or,
  2) If a vulnerability cannot be remediated for any reason, an
  exception will have to be made. When you mark an exception
  you will have to provide a justification as well as a category
  (false positive, operational need, not correctable, etc.)
  ** Note that all exceptions/justifications will be audited! **
  Note that you will need to re-scan the system after you take any
  of the above remediation actions, to confirm the results.
  If nothing is done, this system will be queued to be blocked at
  9 am on 2014-11-12. Once queued, the only way to release the
  system will be to call the ITD Help Desk at x5522.
  This is the 2nd notice (the original notice was sent on 2014-11-05).
  [1] Service: www (443/tcp), Risk: MEDIUM, ID: 78479
  Synopsis :
  It is possible to obtain sensitive information from the remote host with SSL/TLS-enabled services.
  Description :
  The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. A MitM attacker can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections.
  As long as a client and service both support SSLv3, a connection can be 'rolled back' to SSLv3, even if TLSv1 or newer is supported by the client and service.
  The TLS Fallback SCSV mechanism prevents 'version rollback' attacks without impacting legacy clients
  however, it can only protect connections when the client and service support the mechanism. Sites that cannot disable SSLv3 immediately should enable this mechanism.
  This is a vulnerability in the SSLv3 specification, not in any particular SSL implementation. Disabling SSLv3 is the only way to completely mitigate the vulnerability.
  See also :
  https://www.imperialviolet.org/2014/10/14/poodle.html
  https://www.openssl.org/~bodo/ssl-poodle.pdf
  https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
  Solution :
  Disable SSLv3.
  Services that must support SSLv3 should enable the TLS Fallback SCSV mechanism until SSLv3 can be disabled.
  Risk factor :
  Medium / CVSS Base Score : 4.3
  (CVSS2#AV:N/AC:M/Au:N/C/I:N/A:N)
  Plugin output :
  Nessus determined that the remote server supports SSLv3 with at least one CBC
  cipher suite, indicating that this server is vulnerable.
  It appears that TLSv1 or newer is supported on the server. However, the
  Fallback SCSV mechanism is not supported, allowing connections to be "rolled
  back" to SSLv3.
  CVE : CVE-2014-3566
  BID : 70574
  Other references : OSVDB:113251,CERT:577193,IAVA:2014-A-0166

  Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices.
  TLS 1.0, TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected. BlackBerry products use TLS 1.0 or better by default when connecting to websites. 
  Each encrypted connection uses a different key and recovering the plain text of one session does not compromise other sessions.
  This issue is mitigated for all customers by the requirement that an attacker would need to force the server and client to downgrade to the legacy SSLv3 protocol. This would require that the attacker successfully simulate a network or request failure. The attacker would also need to force the encrypted data to contain known plain text unless the attacker can reliably guess a part or all of the plain text. Any attempt to guess plain text data would rely on the data being in the exact same position within the network packets each time and in practice it is unlikely that this will be possible.
  This issue is mitigated for BlackBerry smartphone customers by the requirement that an attacker must first gain at least partial control of the network and of the server. The browser would then need to communicate with the attacker-controlled server over an attacker-controlled network on a repeated basis. If the connection is not compromised or the server is not under the control of the attacker, or if the attacker is unable to cause known data to be sent repeatedly between the server and the client, the SSLv3 weakness cannot be used to recover unencrypted data. The attacker has no way of forcing such a connection to occur.
  Click here to Backup the data on your BlackBerry Device! It's important, and FREE!
  Click "Accept as Solution" if your problem is solved. To give thanks, click thumbs up
  Click to search the Knowledge Base at BTSC and click to Read The Fabulous Manuals
  BESAdmin's, please make a signature with your BES environment info.
  SIM Free BlackBerry Unlocking FAQ
  Follow me on Twitter @knottyrope
  Want to thank me? Buy my KnottyRope App here
  BES 12 and BES 5.0.4 with Exchange 2010 and SQL 2012 Hyper V

• Unable to access ASDM on 5505

  I'm new to the forum/discussions so forgive me if this is already posted. I read through several other posts and have followed the troubleshooting procedures in them, but I still can't access ASDM. I deleted the old ASDM versions and upgraded to ASDM 7.1(1)52 which shows compatible with ASA 8.2(1). I'm on an inside NAT address connected to Eth 0/5, 192.168.1.5/24. I can ping and SSH to the FW but no ASDM. FW is passing traffic and everything else works just fine. Please advise. Thank you.
  JEREMY-ASA# show ver
  Cisco Adaptive Security Appliance Software Version 8.2(1)
  Device Manager Version 7.1(1)52
  JEREMY-ASA# show run asdm
  asdm image disk0:/asdm-711-52.bin
  no asdm history enable
  JEREMY-ASA# show run http
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  JEREMY-ASA# show run
  : Saved
  ASA Version 8.2(1)
  hostname JEREMY-ASA
  enable password OMIT encrypted
  passwd OMIT encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 134.121.11.153 255.255.248.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  banner exec
  OMIT BANNER STATEMENTS
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  same-security-traffic permit intra-interface
  access-list outside_access_in extended deny ip any any
  pager lines 24
  logging enable
  logging timestamp
  logging asdm-buffer-size 250
  logging trap informational
  logging asdm informational
  logging device-id ipaddress outside
  logging host outside OMIT
  mtu outside 1500
  mtu inside 1500
  ip verify reverse-path interface outside
  ip audit attack action drop
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  asdm image disk0:/asdm-711-52.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 10 interface
  nat (inside) 10 192.168.1.0 255.255.255.0
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 134.121.15.254 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication enable console LOCAL
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console LOCAL
  aaa authorization command LOCAL
  aaa authorization exec LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet timeout 5
  ssh 192.168.0.0 255.255.255.0 inside
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 10
  ssh version 2
  console timeout 0
  management-access inside
  threat-detection basic-threat
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server OMIT
  ssl encryption des-sha1
  webvpn
  username OMIT password OMIT encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  crashinfo console disable
  Cryptochecksum:3c8669ae6960ca4cc206db58ffbf3c21
  : end

  It's most likely the string:
       ssl encryption des-sha1
  That weak cipher is not compatible with most modern browsers and current releases of Java which ASDM depend on. Try adding a strong cipher, e.g.:
       ssl encryption des-sha1 aes256-sha1
  Make sure you have 3DES-AES activation first ("show version" or "show activation-key" will confirm that feature license is active).

• 3DES CBC mode

  My task to create a class that take 2 parameters 1)String Key, 2)String text then encrypt the string using the giving key and retrun the base64 encoding. My class seem working but the remote server did not decrypted.
  one thing of the vendor specification is the IV should match \0\0\0\0\ (8 bytes of null) I think I did not know what to do there :)
  here is the requirement:
  1- use padding of type "[PKCS5] PKCS #5, Password-Based Encryption Standard" (see http://www.di-mgt.com.au/cryptopad.html). Microsoft .NET automatically pads the string as needed by default.
  2- Encrypt the above resultant string using the Cipher Block Chaining (CBC) feedback mode of triple-DES encryption with an initial value for the feedback loop set to eight consecutive NUL (ASCII code 0) characters. The key to be used for this encryption is the key1. The cipher block chaining (CBC) feedback mode supports an additional, optional parameter named IV, which you'll need to implement as follows:
  *     The IV property contains the initial value which will be used to
  start a cipher feedback mode; it will always be a string of exactly one block in length. After encrypting or decrypting a string, this value is updated to reflect the modified feedback text. The parameter is read-only, and cannot be assigned a new value.
  *     If the mode property is set to MODE_CBC or MODE_CFB, the IV property
  must be provided and must be a string of the same length as the block size. Not providing a value for the IV property will result in a ValueError exception.
  *     The IV property must be an 8-byte string and its value must be:
  '\0\0\0\0\0\0\0\0' (a string of eight NUL characters)
  here is my code:
  import javax.crypto.*;
  import javax.crypto.spec.*;
  import java.security.*;
  import java.io.*;
  import javax.crypto.spec.IvParameterSpec;
  import java.security.spec.AlgorithmParameterSpec;
  public class TDESStringEncryptor
  // private static int BLOCK_SIZE = 8;
       public static void main(String[] args)
            try
                 TDESStringEncryptor enc = new TDESStringEncryptor();
                 String value = enc.Encrypt(args[0], args[1]);
                 System.err.println(value);
            catch (Exception ex)
                 System.err.println(ex);
       public String Encrypt(String inkey, String data)
            throws Exception
            //--------------------- start ----------------------------
            //byte[] iv = new byte[]{(byte)0x8E, 0x12, 0x39, (byte)0x9C,0x07, 0x72, 0x6F, 0x5A};
            byte [] iv = {0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40};
       AlgorithmParameterSpec paramSpec = new IvParameterSpec(iv);
            // convert key to byte array and get it into a key object
            byte[] rawkey = inkey.getBytes();
            DESedeKeySpec keyspec = new DESedeKeySpec(rawkey);
            SecretKeyFactory keyfactory = SecretKeyFactory.getInstance("DESede");
            SecretKey key = keyfactory.generateSecret(keyspec);
  Cipher c2 = Cipher.getInstance( "DESede/CBC/PKCS5Padding" );
  //----------------start ---------------
  c2.init(Cipher.ENCRYPT_MODE, key, paramSpec);
  //c2.init( Cipher.ENCRYPT_MODE, key );
  byte encodedParameters[] = c2.getParameters().getEncoded();
  byte[] out = c2.doFinal(data.getBytes() );
            Cipher cipher = Cipher.getInstance("DESede/ECB/PKCS5Padding");
            cipher.init(Cipher.ENCRYPT_MODE, key);
            //byte[] out = cipher.doFinal( padString(data).getBytes() );
            byte[] out = cipher.doFinal(data.getBytes() );
            //String tst = byteArrayToHexString( out );
       return new sun.misc.BASE64Encoder().encode(out);
       //return byteArrayToHexString( out );
       private String byteArrayToHexString(byte in[])
            byte ch = 0x00;
            int i = 0;
            if ( in == null || in.length <= 0 )
                 return null;
            String pseudo[] = {"0", "1", "2", "3", "4", "5", "6", "7", "8",
                 "9", "A", "B", "C", "D", "E", "F"};
            StringBuffer out = new StringBuffer( in.length * 2 );
            while ( i < in.length )
                 ch = (byte) ( in[i] & 0xF0 );
                 ch = (byte) ( ch >>> 4 );
                 ch = (byte) ( ch & 0x0F );
                 out.append( pseudo[ (int) ch] );
                 ch = (byte) ( in[i] & 0x0F );
                 out.append( pseudo[ (int) ch] );
                 i++;
            String rslt = new String( out );
            return rslt;
  }

  Thanks for your help, I am just lost. can you explian
  to me what I need to use? I try to change DESede to
  DES but I get an eror. with the current setting the
  encryption work with no error.
  I appreciated if you refer to me a good source in the
  Internet to what I am missing.
  here is a test I did:
  C:\>java TDESStringEncryptor
  A7B08F3958039D5F23D5F5243563541D4792E501272B3486
  "This is a Test"
  and the result was: w/Ubo4XBYUQjmzI+6QVA==
  the developer at the other end whom using .NET send
  his result which is: HMueLH8gSr9y9sUZXfRFlw==I think I give up! DES or DESede are symetric algorithms and only have a 'secret' key. They do not have a 'public' key and a 'private' key.
  You need to start reading - http://www.cacr.math.uwaterloo.ca/hac/

• Encryption/Decryption  failure for pdf and MSWord files

  Hi,
  Is there anybody to help me to find out what is wrong with my class (listing below)? I am sucessfuly using this class to encrypt and decrypt txt, html files but for unknown reasons I am unable to use it for e.g. pdf files. The encrypion somehow works but any atempt to decrypt is a failure.
  /* This class accepts an input file, encrypts/decrypts it using DES algorithm and
  writes the encrypted/decrypted output to an output file. DES is used in Cipher
  Block Chaining mode with PKCS5Padding padding scheme. Note that DES is a symmetric
  block cipher that uses 64-bit keys for encryption. A password of length no less
  than 8 is to be passed to the encryptFile/ decryptFile methods. This password is
  used to generate the encryption key. All exception handling is to be done by
  calling methods. These exceptions are thrown by encryptFile/ decryptFile methods.
  The input buffer is 64 bytes, 8 times the key size.
  import java.io.*;
  import javax.crypto.*;
  import javax.crypto.spec.*;
  import java.security.*;
  import java.security.spec.*;
  public class Crypto
  public Crypto(FileInputStream inStream_, FileOutputStream outStream_)
  fInputStream_ = inStream_;
  fOutputStream_ = outStream_;
  public void encryptFile(String password_) throws InvalidKeySpecException, InvalidKeyException,
  InvalidAlgorithmParameterException, IllegalStateException, IOException, Exception
  DataOutputStream dataOutStream_ = new DataOutputStream(fOutputStream_);
  // key generation
  SecretKey encryptKey_ = createEncryptionKey(password_);
  // Cipher initialization
  Cipher cipher_= Cipher.getInstance(cipherType);
  cipher_.init(Cipher.ENCRYPT_MODE, encryptKey_);
  // write initialization vector to output
  byte[] initializationVector_ = cipher_.getIV();
  dataOutStream_.writeInt(initializationVector_.length);
  dataOutStream_.write(initializationVector_);
  // start reading from input and writing encrypted data to output
  while (true) {
  inputLength_ = fInputStream_.read(input_);
  if (inputLength_ ==-1) break;
  byte[] output_ = cipher_.update(input_, inputOffset_, inputLength_);
  if (output_ != null)
  dataOutStream_.write(output_);
  // finalize encryption and wrap up
  byte[] output_ = cipher_.doFinal();
  if (output_ != null)
  dataOutStream_.write(output_);
  fInputStream_.close();
  dataOutStream_.flush();
  dataOutStream_.close();
  public void decryptFile(String password_) throws IllegalStateException, IOException, Exception
  DataInputStream dataInStream_ = new DataInputStream(fInputStream_);
  // key generation
  SecretKey encryptKey_ = createEncryptionKey(password_);
  // read initialization vector from input
  int ivSize_ = dataInStream_.readInt();
  byte[] initializationVector_ = new byte[ivSize_];
  dataInStream_.readFully(initializationVector_);
  IvParameterSpec ivParamSpec_= new IvParameterSpec(initializationVector_);
  // Cipher initialization
  Cipher cipher_= Cipher.getInstance("DES/CBC/PKCS5Padding");
  cipher_.init(Cipher.DECRYPT_MODE, encryptKey_, ivParamSpec_);
  // start reading from input and writing decrypted data to output
  while (true) {
  inputLength_ = fInputStream_.read(input_);
  if (inputLength_ ==-1) break;
  byte[] output_ = cipher_.update(input_, inputOffset_, inputLength_);
  if (output_ != null)
  fOutputStream_.write(output_);
  // finalize decryption and wrap up
  byte[] output_ = cipher_.doFinal();
  if (output_ != null)
  fOutputStream_.write(output_);
  fInputStream_.close();
  fOutputStream_.flush();
  fOutputStream_.close();
  // the following method creates the encryption key using the supplied password
  private SecretKey createEncryptionKey(String passwd_) throws InvalidKeySpecException,
  InvalidKeyException, NoSuchAlgorithmException
  byte[] encryptionKeyData_ = passwd_.getBytes();
  DESKeySpec encryptionKeySpec_ = new DESKeySpec(encryptionKeyData_);
  SecretKeyFactory keyFactory_ = SecretKeyFactory.getInstance(algorithm_);
  SecretKey encryptionKey_ = keyFactory_.generateSecret(encryptionKeySpec_);
  return encryptionKey_;
  private FileInputStream fInputStream_;
  private FileOutputStream fOutputStream_;
  private final String algorithm_= "DES";
  private final String cipherType= "DES/CBC/PKCS5Padding";
  private byte[] input_ = new byte[64]; // The input buffer size is 64
  private int inputLength_;
  private final int inputOffset_= 0;
  }

  Please can u give me refined code for me///
  at [email protected]
  Hi,
  I found at least one thing wrong. In the decrypt
  method you are reading from 'fInputStream_' rather
  than 'dataInStream'.
  Worked for me on MSWord after changing this!
  Roger
  // start reading from input and writing decrypted
  ted data to output
  while (true) {
  inputLength_ = fInputStream_.read(input_);
  if (inputLength_ ==-1) break;
  byte[] output_ = cipher_.update(input_,
  input_, inputOffset_, inputLength_);
  if (output_ != null)
  fOutputStream_.write(output_);

• How to find length of string after encryption using DBMS_CRYPTO package

  Hi,
  I am planning do data encryption using DBMS_CRYPTO package. I want to find how much will be string length after encryption.
  e.g When I try to encrypt string of length between 1-15 characters it gives me encrypted string of 32 characters. When I try with 16 charcters encrypted string is of 64 characters.
  Is ther any formula to calculate length of encrypted string?
  Thanks
  Pravin

  The length change is dependent upon the algorithm you are using which can be a combination of cipher block, padding, and chaining.
  The best solution is determine the method you are going to use and apply it to the l ongest possible strings you are going to proces, then add some safety margin. There iis no penalty for defining your column as VARCHAR2(4000).

• Vulnerabilities from WLC - AIR-CT5508-K9

  Hello, Guys
  The follow vulnerabilities were found in my WLC - AIR-CT5508-K9:
  Somebody knows these errors.
  Port: 22/tcp     Running vulnerable SSH service: OpenSSH 4.0.
  Port: 22/tcp     Running vulnerable SSH service. Vulnerable OS: Linux 2.6.15 - 2.6.27.
  Port: 443/tcp     SSLv2 is supported
  Port: 443/tcp     ip(xx.xx.xx.xx):443 negotiated the SSL_RSA_WITH_DES_CBC_SHA.
  Port: 443/tcp     Running vulnerable HTTPS service.
  Port: 443/tcp     TLS/SSL certificate is self-signed.
  Can you help me?
  Thanks,
  Rodrigo

  The first 2, there's nothing to do about it.
  For support of SSLv2 and weak cipher encryption, there are commands for that.
  config network secureweb cipher-option sslv2 {enable | disable}
  The last one just requires you to install a signed certificate on the WLC management.

• Why Lion won't connect to Non Apple Timemachine servers via AFP...

  so far. Take a look at this. It may go a long way to help folk understand why it's broken.
  I wholeheartedly atribute this to a chap on trick77.com but I can confirm that my set up...
  HP Proliant 4 x 1 TB drives runing Ubuntu 8.04.2 with 4 shares for my Mac stuff under 'afp' and 1 share under 'smb' ,so my wifes Windows work laptop can be backed up. Since update to Lion on main Mini no Time Machine.
  I tried adding the line......uams_dhx_2_passwd.so......in Webmin but it did't work. I am sure a fix will be out soon so for time being I just back up important stuff either to good old cheap DVD discs and a USB drive.
  ==
  AFP network connections to many Linux-based NAS units aren’t working in Mac OS X Lion 10.7 developer preview. After hitting the connect button a message pops up saying:
  The version of the server you are trying to connect to is not supported. Please contact your system administrator to resolve the problem.
  The Time Machine backup feature present in many NAS obviously isn’t working as well because it’s based on AFP too.
  You may say that this is a developer preview, things will change for the final release. That’s obviously true. Source say that this connection problem most likely has to do with Apple discontinuing support for DHCAST128 (or DHX) authentication in Lion because it was considered insecure. Instead, the successor of DHCAST128 should be used: the more secure DHX2 user authentication module. DHX2 is supported since Mac OS X 10.2 and supports up to 256 characters for passwords (**** yeah, that should be enough). It relies on CAST-128 in cipher block chaining mode for encryption.
  I checked my QNAP NAS for available afpd/netatalk UAMs and DHX2 isn’t present, so it most likely wouldn’t work with Lion.
  Well, if it weren’t for Time Machine, I could always resort to SMB.
  [/usr/local/etc/netatalk/uams] # ls -ladrwxr-xr-x     
  1024 Jan 31 23:08 ./drwxr-xr-x     
  1024 Feb 25 20:14 ../lrwxrwxrwx       
  14 Feb 25  2011 uams_clrtxt.so -> uams_passwd.so*lrwxrwxrwx       
  18 Feb 25  2011 uams_dhx.so -> uams_dhx_passwd.so*-rwxr-xr-x    
  10959 Jan 31 23:08 uams_dhx_passwd.so*-rwxr-xr-x     
  5304 Jan 31 23:08 uams_guest.so*-rwxr-xr-x     
  6996 Jan 31 23:08 uams_passwd.so*
  AFP authentication might work if a uams_dhx_2_passwd.so authentication module was present and configured. It may not be a bad idea to raise this issue with your NAS vendor if you plan to use Lion in the near future.
  Rumor has it that some NAS vendors intentionally disable DHX2 in netatalk because it’s a lot more CPU intensive. This could lead to longer login times when accessing AFP shares on NAS’ units with slow CPUs.
  Update 2-26-2011: It has been verified that Lion is able to connect to a Linux host running netatalk 2.1.2 supporting the DHX2 UAM in afpd.
  Update 7-15-2011: See Time Machine support in OS X Lion 10.7.
  ==
  Now we also have to wait for 'Netatalk' stable release to be outed as that should resolve the Ubuntu via Webmin picture..(we hope).
  I tried different work arounds and have reset them all back to what they were and will just have to wait for Apple to address this. Hope this snippet
  gives a little clarity
  Cheers,
  Michael

  Hi Slammer,
  I don't have a Qnap. The info between both == signs is to give an understanding of what’s going on.
  Myself I have a HP Proliant 4 x 1 TB drives running Ubuntu 8.04.2 with 4shares for my Mac stuff under 'afp' and 1 share under 'smb', so my wife’s Windows work laptop can be backed up.
  Now I have got all my connectivity back by using the terminal commands whichis now well documented but here is a good place if doing it on Lion as shown byMember 'ctendell'...
  http://charlestendell.com/os-x-lion-afp-nas-connection-error-fix/
  I can now see my server and everything on it but still no Time Machine backups because you need Netatalk 2.2 to be loaded on the server in my case and millions of others into Ubuntu.
  (The version I am sporting at present is Netatalk 2.03).  This I can do by using Webmin and will do it after the update to Lion due shortly. I could do it now, but I won't.
  I should never have updated to Lion, and do what I have always done, and that was wait until at least 3-4 updates have taken place and review all the discussions on this forum to see if issues have been resolved.
  With regards to DH....Things may have been fixed in the next update which has been seeded and a selectable choice option to use the prior DH....over the new version may be on the cards. The Netatalk latest version is still in beta format though it can be used and has been implemented by NAS manufacturers, but as I understand its due to become  'stable' and no longer in 'beta mode'.
  I dare say that S.Jobs will not want to alienate a huge group so a fix will be the right thing to do but given the mountain of cash they have and most of the revenue coming from iPhones, iPads etc, they may decide not to and of course that means 3rd party fixes.
  Patience is a virtue but Apple sometimes sorely tests it.
  Cheers
  Message was edited by: Michael Wayne for spelling corrections

• Enabling SSH on SG300-20

  I had some issues with this, and was not able to find an answer in the help or searching the web. In order to help the next person, here are the instructions:
  I have a brand new SG 300-20 switch, and I am attempting to add ssh to the login capabilities.
  Using the web interface I have enabled SSH Service in the Security-TCP/UDP Services.
  I am not able to access ssh, port scans (nmap) also do not show port 22 open.
  The missing key is the generation of SSH crypto keys.
  1. Using the web interface enabled telnet in the Security-TCP/UDP Services section
  2. Log in via telnet
  3. Traverse tree to : System Configuration Menu - Management Settings - SSH Configuration - SSH Crypto Key Generation
  4. Choose the Execute action.
  That's it.
  ssh away !

  Hi
  I used your method to generate a RSA key.
  I gotta say when i had a look at the algorithm used, as per the screen capture below.
  I saw AES256 with Cipher block chaining.. sure looks pretty darn secure.
  US government standards body produced the following;
  http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
  According to section 2 of that document i am pretty happy  and not concerned, cipher block chaining of AES-256.
  This is very strong encryption..
  I have attached a SSH wireshark capture of my SSH exchange between my PC and my SG300-10P
  If you get can figure my userid, i will absolutely forward this posting to the Cisco Small Business Switch Product management team for immediate action .
  regards Dave

• Dbms_crypto encrypt date number datatype

  I am using oracle 11g. I am very new to dbms_crypto. I went through documentation but have following doubts:
  Is it mandatory to convert varchar2(32) to RAW to use dbms_crypto.encrypt?
  If I change varchar2(32) to RAW, Can I make it RAW(32) or does it needs to be bigger?
  Does the RAW size must be in multiple of 16?
  How can I encrypt data of datatype date and number using dbms_crypto?
  Thanks a lot for your time to clarify my quries?

  spur230 wrote:
  Is it mandatory to convert varchar2(32) to RAW to use dbms_crypto.encrypt?It's not mandatory, but it's certainly a good idea. If you store encrypted data in a VARCHAR2 column, that means that it is subject to character set conversion if it's moved from one database to another or sent from a database to a client machine. But if character set conversion happens, your encrypted data is corrupted.
  If I change varchar2(32) to RAW, Can I make it RAW(32) or does it needs to be bigger?
  Does the RAW size must be in multiple of 16?It would be helpful to specify exactly what algorithm and parameters you intend to use because it may vary. If, for example, we encrypt using AES-256 with Cipher Block Chaining and PKCS#5 compliant padding (which happens to be the example in the DBMS_CRYPTO manual), the output RAW will always be a multiple of 16 and as large or larger than the input RAW.
  A VARCHAR2(32) will either allocate 32 characters of storage or 32 bytes of storage depending on your NLS_LENGTH_SEMANTICS parameter. If you're using the default, it will allocate 32 bytes. But 32 bytes in the database character set may require more than 32 bytes of storage once you convert it to a UTF-8 encoded RAW (which, technically, also isn't required but is a good practice) and, thus, the encrypted string might require more than 32 bytes of storage. Your database character set and the actual data you store/ want to be able to store will influence how likely it is that you'll need a larger RAW than your VARCHAR2.
  How can I encrypt data of datatype date and number using dbms_crypto?dbms_crypto only operates on RAW data. Just like you convert strings to RAW before encrypting them, you'd need to convert your dates and numbers to RAW. For numbers, you should be able to use UTL_RAW.CAST_FROM_NUMBER. I don't know of a method of casting dates to a RAW other than converting them to a known string representation and then encrypting that (and, of course, doing the reverse when you decrypt the string and convert it back to a date using that same format).
  Justin