Password encryption

For password encryption we use AES-GCM algorithm without Padding AES/GCM/NoPadding.

GCM is a block cipher mode of operation providing both confidentiality and data origin authentication. By default GCM authenticated encryption operation has four inputs:

  • secret key
  • initialization vector (IV)
  • plaintext
  • additional authenticated data (AAD) (optional not needed in our case).

Secret key - piece of information or parameter that is used to encrypt and decrypt messages

Key can be generated by using openssl, example:

$ openssl aes-256-cbc -k secret -P -md sha1

iv =E7A4713DFBBE38CADA40170F0D34BCEC

If a password of a user is sent to API or with SAML request, it must be encrypted and encoded with Base64 algorithm.

CIM API configuration accepts hexadecimal representation of 128, 192 and 256 bit keys with hex: prefix. Client implementation in most of cases will skip hex: prefix. And use direct binary representation of hex key.

Initialization Vector (IV) - Randomly generated eight octet length.

IV cannot repeat for same key, should be newly generated for any new message.

plaintext data that should be encrypted

For detailed information about AES-GCM please read this RFC specification


This chapter shows examples in various languages of simple encryption/decryption of user password.