Passwords
Note
Passwords are only available for the eSecIP Professional and eSecIP Standard editions.
The passwords information type is optional for the product configuration file.
The passwords information type allows you to create a random password for each individual device. This is often required because of global security regulations. If the product does not require random passwords, the information type can be omitted from the product configuration file. If Passwords configuration objects are defined, production records must be enabled and a production record encryption key must be supplied. With a production record you can extract passwords from a device once it is provisioned.
Using this feature, a random password is generated for each password configuration object by the Security Appliance, using an algorithm supplied with the product template. The pseudocode for this algorithm is provided in the example below. The algorithm works by inputting strings of characters which the algorithm randomly selects characters from, to create the password. These strings are called policies, because they attempt to emulate the OEM’s password policy where the password must comprise certain types of characters. In the example, each of the four policies is represented by a string of characters. For the lowercase letter policy, the string would be something like "abcdefghjkmnpqrstuvwxyz". Using strings allows you to exclude certain characters such as the letter l as it is very similar to the number 1. When the password is created, the algorithm selects at least one character from each policy string to ensure that all policies have been met. Because of this, a password’s length must at least equal the number of policy strings in the configuration object. This ensures that the password is long enough to contain at least one character from each of the policy strings.
It is strongly recommended that passwords be as long as practicable while using as many policies and characters in those policies as possible.
Field name | Description |
|---|---|
| The algorithm that generates the password. Mandatory. |
| A list that defines the policies for the device password. Mandatory. |
| The name of the password, to be used internally. Mandatory. |
| The number of characters in the password. Mandatory. |
| The name of the obfuscation record used for obfuscation. Optional. If the object is not to be obfuscated, this field must be omitted. |
| The memory location for the provisioned password. Only for the eSecIP Standard edition and mandatory. |
| The memory location for the length value (in bytes) of the provisioned password. Only for the eSecIP Standard edition and mandatory. |
| An ID to be used for locating the password inside the BLOB. Only for the eSecIP Professional edition and mandatory. |
passwords information typeExample
This is pseudocode for the password generation algorithm.
The algorithm extracts the allowed char strings and password length from the product definition. Each string of chars represents a password policy.
def default_password(list_of_policies, password_length):
policy_1 = "ABCDEFGHJKLMNPQRSTUVWXYZ" #string to pass through policyArray[]
policy_2 = "abcdefghjkmnpqrstuvwxyz" #string to pass through policyArray[]
policy_3 = "23456789" #string to pass through policyArray[]
policy_4 = "+.,!%$" #string to pass through policyArray[]
pass_length = 12 #integer to come from password_length argument
//create a pool (string) of all possible characters
all_chars = Policy_1 + Policy_2 + Policy_3 + Policy_4
//randomize the position of the chars to reduce any selection biases
all_chars = random(all_chars)
for pass_char in range(pass_length): #Loop over length of password
//Get random no. from SA and convert to value <= length of All_chars
rand_num = API call (len(All_chars))
rand_char = All_chars[rand_num] #Select random character from All_chars
password += rand_char #Add random char to password
//check which policy has been met by random character
for policy in range(list_of_policies):
if rand_char in policy:
// Update a list of Bools to indicate which policies have been met
if not policies_met_list[index]:
policies_met_list[index] = True
//keep a tally of the number of policies that have been met
policies_met += 1
index += 1If all policies are met, the loop continues until
len(password) = Pass_lengthand the password selection process is complete. However, if one or more policies are not met when we get near the end of the loop, the character selection process is limited to only those policy strings which have not had a character selected from them yet. This ensures that the entropy, that is the degree of randomness, is only reduced when necessary.
if (pass_length – pass_char -1) <= (len(list_of_policies) – policies_met) and
policies_met != len(list_of_policies):
all_chars = "" //reset the all characters variable
//set a flag to, if a reduced set of characters, randomize the final password
randomize_flag = true
for remain in range(number_of_policies):
if not policy_met_list[index]:
all_chars += policy_remain #rebuild list of chars to choose from
index += 1If the character set has been reduced to ensure all policies are met, the order of the final set of characters must be randomized to improve the entropy caused by the use of a reduced character set.
if randomize_flag: random(password)