Aes Generate Key From Password
You may also find it useful to generate another key for HMAC, so you can verify that the encrypted files haven't been tampered with. If you want to do that, you can generate a 128-bit HMAC key, and encrypt and store that with the main AES key. A user-created key and an associated ENCKEYS file is required when using AES encryption; optional, but recommended, for Blowfish encryption. To use keyname, generate the key with KEYGEN or another utility, then store it in an ENCKEYS file on the source and target systems.
KeePass is a free open source password manager. Passwords can be stored in an encrypted database, which can be unlocked with one master key. Jun 05, 2019 Generate Kerberos AES 128/256 keys from a known username/hostname, password, and kerberos realm. The results have been verified against the.
C# Aes Generate Key
| functionGet-KerberosAESKey |
| { |
| <# |
| .SYNOPSIS |
| Generate Kerberos AES 128/256 keys from a known username/hostname, password, and kerberos realm. The |
| results have been verified against the test values in RFC3962, MS-KILE, and my own test lab. |
| https://tools.ietf.org/html/rfc3962 |
| https://msdn.microsoft.com/library/cc233855.aspx |
| Author: Kevin Robertson (@kevin_robertson) |
| License: BSD 3-Clause |
| .PARAMETERPassword |
| [String] Valid password. |
| .PARAMETERSalt |
| [String] Concatenated string containing the realm and username/hostname. |
| AD username format = uppercase realm + case sensitive username (e.g., TEST.LOCALusername, TEST.LOCALAdministrator) |
| AD hostname format = uppercase realm + the word host + lowercase hostname without the trailing '$' + . + lowercase |
| realm (e.g., TEST.LOCALhostwks1.test.local) |
| .PARAMETERIteration |
| [Integer] Default = 4096: Int value representing how many iterations of PBKDF2 will be performed. AD uses the |
| default of 4096. |
| .PARAMETEROutputType |
| [String] Default = AES: (AES,AES128,AES256,AES128ByteArray,AES256ByteArray) AES, AES128, and AES256 will output strings. |
| AES128Byte and AES256Byte will output byte arrays. |
| .EXAMPLE |
| Verify results against first RFC3962 sample test vectors in section B. |
| Get-KerberosAESKey -Password password -Salt ATHENA.MIT.EDUraeburn -Iteration 1 |
| .EXAMPLE |
| Generate keys for a valid AD user. |
| Get-KerberosAESKey -Salt TEST.LOCALuser |
| .LINK |
| https://gist.github.com/kevin-robertson/ |
| #> |
| [CmdletBinding()] |
| param |
| ( |
| [parameter(Mandatory=$false)][String]$Password, |
| [parameter(Mandatory=$true)][String]$Salt, |
| [parameter(Mandatory=$false)][ValidateSet('AES','AES128','AES256','AES128ByteArray','AES256ByteArray')][String]$OutputType='AES', |
| [parameter(Mandatory=$false)][Int]$Iteration=4096 |
| ) |
| if(!$Password) |
| { |
| $secure_password=Read-Host-Prompt 'Enter password'-AsSecureString |
| $password_memory= [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secure_password) |
| $password= [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($password_memory) |
| } |
| [Byte[]]$password_bytes= [System.Text.Encoding]::UTF8.GetBytes($Password) |
| [Byte[]]$salt_bytes= [System.Text.Encoding]::UTF8.GetBytes($Salt) |
| $AES256_constant=0x6B,0x65,0x72,0x62,0x65,0x72,0x6F,0x73,0x7B,0x9B,0x5B,0x2B,0x93,0x13,0x2B,0x93,0x5C,0x9B,0xDC,0xDA,0xD9,0x5C,0x98,0x99,0xC4,0xCA,0xE4,0xDE,0xE6,0xD6,0xCA,0xE4 |
| $AES128_constant=0x6B,0x65,0x72,0x62,0x65,0x72,0x6F,0x73,0x7B,0x9B,0x5B,0x2B,0x93,0x13,0x2B,0x93 |
| $IV=0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 |
| $PBKDF2=New-Object Security.Cryptography.Rfc2898DeriveBytes($password_bytes,$salt_bytes,$iteration) |
| $PBKDF2_AES256_key=$PBKDF2.GetBytes(32) |
| $PBKDF2_AES128_key=$PBKDF2_AES256_key[0.15] |
| $PBKDF2_AES256_key_string= ([System.BitConverter]::ToString($PBKDF2_AES256_key)) -replace'-','' |
| $PBKDF2_AES128_key_string= ([System.BitConverter]::ToString($PBKDF2_AES128_key)) -replace'-','' |
| Write-Verbose'PBKDF2 AES128 Key: $PBKDF2_AES128_key_string' |
| Write-Verbose'PBKDF2 AES256 Key: $PBKDF2_AES256_key_string' |
| $AES=New-Object'System.Security.Cryptography.AesManaged' |
| $AES.Mode= [System.Security.Cryptography.CipherMode]::CBC |
| $AES.Padding= [System.Security.Cryptography.PaddingMode]::None |
| $AES.IV=$IV |
| # AES 256 |
| $AES.KeySize=256 |
| $AES.Key=$PBKDF2_AES256_key |
| $AES_encryptor=$AES.CreateEncryptor() |
| $AES256_key_part_1=$AES_encryptor.TransformFinalBlock($AES256_constant,0,$AES256_constant.Length) |
| $AES256_key_part_2=$AES_encryptor.TransformFinalBlock($AES256_key_part_1,0,$AES256_key_part_1.Length) |
| $AES256_key=$AES256_key_part_1[0.15] +$AES256_key_part_2[0.15] |
| $AES256_key_string= ([System.BitConverter]::ToString($AES256_key)) -replace'-','' |
| # AES 128 |
| $AES.KeySize=128 |
| $AES.Key=$PBKDF2_AES128_key |
| $AES_encryptor=$AES.CreateEncryptor() |
| $AES128_key=$AES_encryptor.TransformFinalBlock($AES128_constant,0,$AES128_constant.Length) |
| $AES128_key_string= ([System.BitConverter]::ToString($AES128_key)) -replace'-','' |
| switch($OutputType) |
| { |
| 'AES' |
| { |
| Write-Output'AES128 Key: $AES128_key_string' |
| Write-Output'AES256 Key: $AES256_key_string' |
| } |
| 'AES128' |
| { |
| Write-Output'$AES128_key_string' |
| } |
| 'AES256' |
| { |
| Write-Output'$AES256_key_string' |
| } |
| 'AES128ByteArray' |
| { |
| Write-Output$AES128_key |
| } |
| 'AES256ByteArray' |
| { |
| Write-Output$AES256_key |
| } |
| } |
| } |
Use ENCRYPT PASSWORD to encrypt a password that is used in an Oracle GoldenGate parameter file or command.
Syntax
passwordThe login password. Do not enclose the password within quotes. If the password is case-sensitive, type it that way. Public private key encryption.
AES128 AES192 AES256 BLOWFISHSpecifies the encryption algorithm to use.
AES128uses the AES-128 cipher, which has a key size of 128 bits.AES192uses the AES-192 cipher, which has a key size of 192 bits.AES256uses the AES-256 cipher, which has a key size of 256 bits.BLOWFISHuses Blowfish encryption with a 64-bit block size and a variable-length key size from 32 bits to 128 bits. UseBLOWFISHonly for backward compatibility with earlier Oracle GoldenGate versions.
If no algorithm is specified, AES128 is the default for all database types except DB2 on z/OS and NonStop SQL/MX, where BLOWFISH is the default. AES is not supported for those platforms.
All of the AES ciphers have a 128-bit block size.
To use AES encryption for any database other than Oracle, the path of the lib sub-directory of the Oracle GoldenGate installation directory must be specified as an environment variable before starting any processes:
UNIX: Specify the path as an entry to the
LD_LIBRARY_PATHorSHLIB_PATHvariable. For example:Windows: Add the path to the
PATHvariable.
You can use the SETENV parameter to set it as a session variable for the process.
ENCRYPTKEY {key_name DEFAULT}Specifies the encryption key.
key_nameSpecifies the logical name of a user-created encryption key in a local ENCKEYS lookup file. The key name is used to look up the actual key in the ENCKEYS file. A user-created key and an associated ENCKEYS file is required when using AES encryption; optional, but recommended, for Blowfish encryption. To use key_name, generate the key with KEYGEN or another utility, then store it in an ENCKEYS file on the source and target systems. For more information, see the security guidelines in the Administering Oracle GoldenGate for Windows and UNIX.
DEFAULTAes Generate Key From Password Code
Directs Oracle GoldenGate to generate a random key that is stored in the trail so that decryption can be performed by the downstream process. This type of key is insecure and should not be used in a production environment. Use this option only when BLOWFISH is specified. ENCRYPT PASSWORD returns an error if DEFAULT is used with any AES algorithm.