GMU Encryption Passphrase

Document ID : KB000016668
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

Can one GMU decode a password from another GMU tool set?   We need to understand how this works. The product func spec page does not outline how this encryption passphrase is calculated.

Environment:
GMU 1.4Gateway version 9.2
Answer:
Basic Auth (with encoded password)

The GMU can encode your password so that it is not stored in a plain text format. NOTE this is NOT encryption and the password can be decoded by a malicious user.

This is done using the encodePassword command.

We make no promise to be cryptographically secure, and the func spec states that it would be a bad idea to share your encrypted password publicly - while we use AES256, which is an encryption algorithm, we are careful to call this 'passsword encoding', rather than 'encryption', because encryption relies on a secret key, which is a string that you do NOT share, and which you use to encrypt and decrypt your data.
 
The reason why we don't need a secret here is that we generate the key from the salt. The salt is generated at random each time you encrypt a password, and is prepended to the encoded password.
When you want to decode a password generated in this fashion, all GMU does is take the salt, generate the key from it, and use that to decrypt the password. That's it.
 
The intent of this is to prevent screen display of plaintext password - again, not to provide cryptographically strong protection. That would take a secret key, or a public-private key pair, which would be too much hassle for this.