Masking iBSP Passwords Using AES

How to:

This section describes how to mask passwords using an AES process.
Top of page
x
Procedure: How to Mask iBSP Passwords Using AES

To mask iBSP passwords using AES:

  1. Create a password-type system special register (SREG) named ibsp.aeskey using iWay Service Manager (iSM) and set it to a value (for example, iway software).
  2. Using the iSM command line testfuncs tool, encrypt a password using the _aes() function.

    For example:

    _aes(enc, sreg(ibse.aeskey), thepassword)

    Cipher text is generated to represent the password, as shown in the following example:

    2rLB2FnIBJsea90DdKzHrueET3pGVY+CDA7b3gE3l58=
  3. Create a SOAP request for iBSP including ibsinfo in the header.

    For example:

    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
   xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Header>
<m:ibsinfo xmlns:m="urn:schemas-iwaysoftware-com:iwse">
<m:service>IVP</m:service>
<m:method>IVP</m:method>
<m:license>IVP</m:license>
<m:Username>steve</m:Username>
<m:Password>AES(2rLB2FnIBJsea90DdKzHrueET3pGVY+CDA7b3gE3l58=)</m:Password>
</m:ibsinfo>
</SOAP-ENV:Header>
...

    The AES(...) surrounding the encrypted password in this example is not an iFL function. It is only markup informing you that the value in the parentheses is encrypted using AES.

    iBSP decrypts the password (using the value of the ibse.aeskey register as a key) and uses the result as it would any clear text password.

    Note: This technique is useful for masking passwords, but does not provide security against network attacks, such as replay attacks.

iWay Software