Decrypt AES SecurityInfo Strings

The following procedure describes the algorithm to use to decrypt a security info string that is encrypted with an AES key file.

NOTE: To decrypt a security info string, you need the AES key file that was used to generate it. OpenText strongly recommends that you secure your AES key file so that only your IDOL components and authorized administrators can access it.

The IDOL Content component, IDOL Community component and DAH need access to the key file.

To decrypt an AES SecurityInfo String

  1. Base64 decode the SecurityInfo String.

  2. Split the decoded string on the left-most pipe character (|).

    The left side is the data length, followed by a colon (:) and a number indicating the encryption type.

    The right side is the data.

  3. Check that the encryption type is 2 for AES-encrypted data that follows this specification. If the encryption type is missing or has a different value, fail the decryption.

    Check that the data length is equal to the length of the data. If this check is not successful, fail the decryption.

  4. Select the first 12 bytes of the data. This is the AES initialization vector (also referred to as the IV or nonce).

    Select the final 16 bytes of the data. This is the AES authentication tag.

    The remaining data is the encrypted content (ciphertext).

  5. Use AES-GCM to decrypt the ciphertext, by using the IV and authentication tag from the decoded data, and the 256-bit key from your AES hexadecimal key string.

    The decrypted data has the prefix AUTN:. If this string is not present, fail the decryption.

  6. Use zlib to decompress the data after the AUTN: prefix.