Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 37 subscribers
  • Views 2142 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Get Encrypted Password for Use in API

John Bonino

Adding this documentation on how to generate encrypted passwords for use with the Sophos XG API.  The published Sophos documentation is incorrect and lacks some verbosity.

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/BackupAndFirmware/API/index.html#xml-tags-and-attributes 

The Sophos process indicates that you should run the aes-128-cbc-tool via the Advanced Shell within the console.  (Login to console -> Device Management [5] -> Advanced Shell [3])

The console was extremely slow (typing is delayed) and you can’t copy and paste into it. Even when I did enter in the command correctly I got a “>” as though it was waiting for more input.
Using the documentation above though there are some examples that include an encrypted password hash. 

The hash is in hex format, and uses AES 128 bit CBC as the tool above indicates.  

The most difficult part was discovering that the published key “Th1s1Ss1mPlygR8API” from the bottom of the documentation above is incorrect. The correct key is “Th1s1Ss1mPlygR8A” because it is 16 characters which is required for the block size.

Using this decryptor (sadly the encryptor doesn’t work for this site) Online Tool for AES Encryption and Decryption I was able to take the hex value from the documentation (8b1e6eb1b182b1806390ffefc99753fc) and decrypt it.

It immediately throws an error that they key is too long.  Reduce it by two characters to “Th1s1Ss1mPlygR8A” though and it works.

The AES output is base64 encoded -- decrypt that and you get the text "admin".  This isn't published in the documentation but it makes sense as a demo password.  

Now since I mentioned before that the Encrypt portion of the tool above didn’t work I had to find a new encryptor. This was somewhat difficult because many require an initialization vector for the encryption which Sophos doesn’t utilize.

I found this one https://encode-decode.com/aes128-encrypt-online/ which let me encrypt it to AES 128 using the shortened key. It outputs to base64 encoding though and the Sophos API uses hex.

Convert the outputted base64 string to hex though and you're good to go.  I have tested this on SFOS 18.5.3 firmware and it works.  Wasn't able to post screenshots but can provide for anyone else working through this issue.

As a final note - I have not tried using the Sophos aes-128-cbc-tool with the shortened API key yet.  Would be interested if that tool does in fact work so if anyone tries it before me let me know!  



This thread was automatically locked due to age.
Parents
  • 0

    Hi John,

    Thank you for sharing this content with our Community. I have reached out internally for this information to be vetted and updated in our documents. 

    We appreciate your contribution.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to Qoosh

    Glad to contributing back to the community.  I have since tried using the aes-128-cbc-tool from the Advanced Shell using the shortened key, but unfortunately it did not work.  It did not show the > symbol as it does when using the provided key in the documentation though, so perhaps I didn't wait long enough for a response.  My experience with the console has been that is runs extremely slow -- would be interested to hear if anyone else can make it work with the shorter key.

Reply
  • 0 in reply to Qoosh

    Glad to contributing back to the community.  I have since tried using the aes-128-cbc-tool from the Advanced Shell using the shortened key, but unfortunately it did not work.  It did not show the > symbol as it does when using the provided key in the documentation though, so perhaps I didn't wait long enough for a response.  My experience with the console has been that is runs extremely slow -- would be interested to hear if anyone else can make it work with the shorter key.

Children
No Data
Unfiltered HTML