Encryption Settings do not Properly Export or Import

Follow

Date: April 30, 2014
Revision: 2.0

Problem:

In versions 4.83.6 through version 4.83.7 of [Enterprise] Random Password Manager a problem exists with the export and subsequent import of the Encryption key. The result is that when importing the key by hand or via any subsequent management console, the encryption key value is not properly configured.

This will be an issue to contend with if deploying multiple management consoles or in a DR scenario or during console host migration.

Cause:

In version 4.83.6, salting was added to further protect the encryption key that was stored in the registry of the console host. E/RPM uses the Microsoft registry utilities to export/import these keys. The Microsoft registry utility does not properly export these salted values as witnessed when using the local regedit utility by hand; it places line breaks and line delimiters where none previously existed. An export example is shown below:

Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Lieberman\PWC\ProgramOptions\EncryptionSettings]
"m_bEncryptPasswords"=dword:00000001
"m_bUsePKCS11"=dword:00000000
"m_sPKCS11DllPath"=""
"m_bInitializePKCS11MultiThreaded"=dword:00000000
"m_dwPKCS11SlotID"=dword:00000000
"m_oEncrypted_m_sPKCS11TokenPIN_cv2"="qRGY3Kr+D/vF+PvG76V+1A==
"
"m_sPKCS11KeyType"=dword:0000001f
"m_sPKCS11PrivateKey"=dword:00000000
"m_sPKCS11KeyLabel"=""
"m_dwPKCS11KeyObjectHandle"=dword:00000000
"m_sPKCS11EncryptionMechanism"=dword:00001085
"m_dwPKCS11KeyLengthBits"=dword:00000000
"m_sPKCS11KeyCheckValueHexEncoded"=""
"m_bUseFIPSProvider"=dword:00000000
"m_bRequireFIPSProvider"=dword:00000000
"m_iKeyLength"=dword:00000100
"m_iEncryptionType"=dword:00000002
"m_sKeyTest_cv2"="Xn3hc1s8xGEPyueRfoQFgwq3UyVrt/s6cMqudCG3+Wq/3qi6XXNhDbvbj19yk+uDjA2Xh7sC
WalhCPbsCW+j+Rm3K3W9Tf/h7278YoM78iI=
"
"m_sCryptKey_cv2"="nzFv4BBnIpE3jaKduIWzPDdfi3nFIbCeuZYQFwANj7NYbCjCd+J5/PoIo7CR6scceWoL32FX
zE3yRpRcMQkf6ml2uOkx0Q5Z/EvuwbObCJ6+wv6H4kYB/JxyAJoas1NzfXCZD4TFNqBTQvfr
70cSuis+OoR/ahZqD00/PeWehOg4S2w9cyRSWQyGkOFPcctdaeWg2Vd3wBMEgL6zzmtW8okw
26padSYSng/YCXMCpWnmwJoLWVqB3RFyr6edFPSmvK8GR3shHQbN3Oj3MCoNe9EWQow2d3mw
td2LCIpihlVTxGywj6KaCIUTwF214eYhowhhhJMnTQNIsYfRaF+iNai4lycIALgZPjUh36l4
ArU=
"

Resolution:

The resolution is simple: the trailing double quotes and subsequent lines need to be re-joined with their previous line as shown in the example below. The lines to modify are:

  • "m_sCryptKey_cv2"
  • "m_sKeyTest_cv2"
  • "m_oEncrypted_m_sPKCS11TokenPIN_cv2"



Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Lieberman\PWC\ProgramOptions\EncryptionSettings]
"m_bEncryptPasswords"=dword:00000001
"m_bUsePKCS11"=dword:00000000
"m_sPKCS11DllPath"=""
"m_bInitializePKCS11MultiThreaded"=dword:00000000
"m_dwPKCS11SlotID"=dword:00000000
"m_oEncrypted_m_sPKCS11TokenPIN_cv2"="qRGY3Kr+D/vF+PvG76V+1A=="
"m_sPKCS11KeyType"=dword:0000001f
"m_sPKCS11PrivateKey"=dword:00000000
"m_sPKCS11KeyLabel"=""
"m_dwPKCS11KeyObjectHandle"=dword:00000000
"m_sPKCS11EncryptionMechanism"=dword:00001085
"m_dwPKCS11KeyLengthBits"=dword:00000000
"m_sPKCS11KeyCheckValueHexEncoded"=""
"m_bUseFIPSProvider"=dword:00000000
"m_bRequireFIPSProvider"=dword:00000000
"m_iKeyLength"=dword:00000100
"m_iEncryptionType"=dword:00000002
"m_sKeyTest_cv2"="Xn3hc1s8xGEPyueRfoQFgwq3UyVrt/s6cMqudCG3+Wq/3qi6XXNhDbvbj19yk+uDjA2Xh7sCWalhCPbsCW+j+Rm3K3W9Tf/h7278YoM78iI="
"m_sCryptKey_cv2"="nzFv4BBnIpE3jaKduIWzPDdfi3nFIbCeuZYQFwANj7NYbCjCd+J5/PoIo7CR6scceWoL32FXzE3yRpRcMQkf6ml2uOkx0Q5Z/EvuwbObCJ6+wv6H4kYB/JxyAJoas1NzfXCZD4TFNqBTQvfr70cSuis+OoR/ahZqD00/PeWehOg4S2w9cyRSWQyGkOFPcctdaeWg2Vd3wBMEgL6zzmtW8okw26padSYSng/YCXMCpWnmwJoLWVqB3RFyr6edFPSmvK8GR3shHQbN3Oj3MCoNe9EWQow2d3mwtd2LCIpihlVTxGywj6KaCIUTwF214eYhowhhhJMnTQNIsYfRaF+iNai4lycIALgZPjUh36l4ArU="

With the releases following version 4.83.7, this errant behavior will be controlled in the E/RPM code.

Applies To:

  • Enterprise Random Password Manager (ERPM)
  • Random Password Manager (ERPM)
Was this article helpful?
0 out of 0 found this helpful

Comments

Powered by Zendesk