4.1 Deriving a Password and Encrypting a Connection String for Unsecured Peer Name Initiation

This example follows the steps that appear in sections 3.1.5.1 and 3.1.5.2, which show how to derive a password and encrypt a sample string:

  1. Assume for the connection string "SAMPLE", when encryption is done, 1218745079 seconds have elapsed since January 1, 1970 UTC.

  2. The first hash input is the following, expressed in hexadecimal values.

     53 00 41 00 4d 00 50 00 4c 00 45 00 00 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 00 00 00 00 00
    
  3. After the first hash iteration, the hash result is the following, expressed in hexadecimal values.

     00 df 01 a1 9d 25 89 60 e6 a4 4a a9 8b e9 c2 6f 00 29 22 39
    
  4. When the hash result is added back to the original input, a new hash input results, which is expressed here in hexadecimal values.

     53 00 41 00 4d 00 50 00 4c 00 45 00 00 df 01 a1 9d 25 89 60
     e6 a4 4a a9 8b e9 c2 6f 00 29 22 39
    
  5. After the 100,000 iterations, the first sequence of 6 bytes of the hash result is the following, expressed in hexadecimal values.

     1d f6 35 43 74 92
    
  6. Each byte is divided by 256 and then multiplied by 29 (the number of characters in the string). The resulting fractions are discarded to obtain an index for each byte. The resulting index for each byte is looked up in the password character string "BCDFGHJKLMNPQRSTVWXYZ23456789" to obtain the corresponding character for that byte.

     First value: 0x1d is 29, (29/256) * 29 =3.29 -> 3
     Indexes: 3 27 6 7 13 16
     Resultant characters: F 8 J K R V
    
  7. When the number of seconds since Jan 1, 1970 is divided by 3600, the resulting figure is the number of hours that have elapsed since Jan 1, 1970 UTC. This number is concatenated to the derived characters to get the string "F8JKRV338540".

  8. The first hash input is the previous string copied into a byte buffer that is expressed in hexadecimal values.

     46 00 38 00 4a 00 4b 00 52 00 56 00 33 00 33 00 38 00 35 00
     34 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     00 00 00 00
    
  9. The first hash result is the following value, expressed in hexadecimal.

     5f 3d 53 db 86 9a f1 ac 24 63 21 f4 c1 78 90 6d 91 a7 1a d5
    
  10. The hash result is then copied into the byte buffer and expressed in the following hexadecimal values.

     46 00 38 00 4a 00 4b 00 52 00 56 00 33 00 33 00 38 00 35 00
     34 00 30 00 5f 3d 53 db 86 9a f1 ac 24 63 21 f4 c1 78 90 6d
     91 a7 1a d5
    
  11. The first 16 bytes of the final hash value, which occurs after 100,000 iterations, is expressed as the following hexadecimal values.

     30 e3 db fb 31 4b 40 9a 70 bc ce 74 4c ad e6 5f
    
  12. The previous value is then converted into a Unicode string and results in "30E3DBFB314B409A70BCCE744CADE65F".

  13. Using the SHA-1 hash algorithm, hash the key string from step 12 to obtain the following hexadecimal values.

     bb 50 02 ab ff f3 f8 23 6d 84 7d 50 ee a9 9a ba 2b 2c 1e 45
    
  14. XOR each byte from the result of step 13 with the constant 0x36 into a new buffer.

  15. Hash the resulting buffer using the SHA-1 algorithm.

  16. Use the first 16 bytes of the hash value as the derived cypher key for encryption using the AES 128 algorithm, as described in [FIPS197].

  17. Encrypting the original connection string "SAMPLE" with the cipher key results in the following encrypted value.

     7f d6 54 48 2f e0 92 73 d7 69 85 b0 1d 4b 7a 4b