(sorry, replied to Stephen but forgot to Reply All to include the list)
Stephen, Thanks again for the great advice; I'm going that route. I was able to get an updated version of the DRSD working with newer backups by using a Java app. Using IKVM has proved a little trickier since the new algorithm requires a security provider in cryptojFIPS.jar. Unfortunately there are security checks in that JAR's classes which check for the container name at runtime. If they're repacked into another JAR, they fail to execute. I may go back and play with that later, but for now the Java app on the local host will suffice. Thanks, Pete ________________________________ From: Stephen Welsh <stephen.we...@unifiedfx.com> Sent: Tuesday, September 26, 2017 9:51 AM To: Pete Brown Cc: cisco-voip@puck.nether.net Subject: Re: [cisco-voip] DRS Backup Decrypter Workaround - Need Input Hi Pete, Would it not be better to create a small Java application that takes the encrypted content and returns the decrypted content (possibly passing in a file and creating a new file with the decrypted content?). You can also compile Java to a .Net DLL using (https://www.ikvm.net), so you can call it directly without passing files backward/forward. IKVM.NET Home Page<https://www.ikvm.net/> www.ikvm.net IKVM.NET is an implementation of Java for Mono and the Microsoft .NET Framework. It includes the following components: A Java Virtual Machine implemented in .NET Kind Regards Stephen Welsh CTO [cid:CBBF0493-235C-43D2-A874-9FB3D95AF598@b2.unifiedfx.com] On 26 Sep 2017, at 15:38, Pete Brown <j...@chykn.com<mailto:j...@chykn.com>> wrote: I could use some public input regarding the next release of the DRS Backup Decrypter. In a nutshell, the application will have to be online in order to decrypt backup sets from newer UCOS versions. Last year Cisco started patching DRS with a new algorithm (PBEWithHmacSHA1AndDESede) to encrypt the random backup passwords. I haven't been able to find a .NET implementation of this algorithm. The only workaround I've come up with is to have the DRS Backup Decrypter make a call to a Java webservice that can perform the decryption. The problems with this approach are pretty obvious. Aside from having to be online, the encrypted cluster security password and 'EncryptKey' from a backup set will need to be submitted to a web service that I've written for decryption. I can publish a public copy of this webservice, but for those behind corporate proxies (myself included), the code could be made available to run the service within their own networks. In that case the DRS Backup Decrypter would be pointed to the internal copy of the webservice. I personally detest utilities that can't operate offline, but it's the only workaround I can come up with at this point. So my question is this - would anyone actually use it given the webservice dependency? _______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip