Decrypt AES SecurityInfo Strings

The following procedure describes the algorithm to use to decrypt a security info string that is encrypted with an AES key file, with optional HMAC validation.

NOTE:

To decrypt a security info string, you need the AES key file that was used to generate it. HPE strongly recommends that you secure your AES key file so that only IDOL Server and authorized administrators can access it.

To decrypt an AES SecurityInfo String

  1. Base64 decode the SecurityInfo String.

  2. Split the decoded string on the left-most pipe character (|).

    The left side is the data length. The right side is the data (with the digest, if you use HMAC validation).

  3. Check that the data length is equal to the length of the data with digest. If this check is not successful, fail the decryption.

  4. (Optional) Use the following steps for HMAC validation:

    1. Split the data with digest on the left-most pipe character (|).

      The left side is the digest hex string. The right side is the data.

    2. Generate the HMAC key by taking a SHA-1 hash of your AES hexadecimal key string.

      NOTE:

      This operation makes the key string case-sensitive.

    3. Calculate the HMAC_SHA512 value of the data.

    4. Compare the digest hex string to the HMAC_SHA512 value to verify the digest. If this check is not successful, fail the decryption.
  5. Select the first 16 bytes of the data. This is the AES initialization vector.

  6. Use AES-CBC to decrypt the remaining data, by using the IV and the 256-bit key from your AES hexadecimal key string.

    The decrypted data has the prefix AUTN:. If this string is not present, fail the decryption.

  7. Use zlib to decompress the data after the AUTN: prefix.

_HP_HTML5_bannerTitle.htm