AES encryption for NSCA

[lmiltchev]

Sounds good, Willem. We will keep the thread open awaiting updates.

[WillemDH]

Michael's answer:

Unfortunately RIJNDAEL (which is what "real" (old) NSCA uses) is not AES.
While AES was based on Rijandel the block size can (and in this case are) different if I recall correctly.

What's Nagios' opinion on this?

[lmiltchev]

It seems like you will be able to use only option 14 (RIJNDAEL-128) with NSClient++, as 15 & 16 are NOT the same as AES.

Rijndael-256 and Rijndael-192 must be seen as completely different algorithms from AES (Rijndael-128). They are inherently incompatible.

http://stackoverflow.com/questions/7486 ... el-and-aes

I believe ssax already proved this by testing it.

I was only able to get NSClient++ working with 14 (AES-128). 15 (AES-192) and 16 (AES-256) do not work in NSClient++. I also confirmed that all AES algorithms work for the Linux client as well.

[WillemDH]

AES 256 should be an option. Could you make a low prio fr and close this? tx

[lmiltchev]

AES 256 should be an option. Could you make a low prio fr and close this? tx

According to our developers, we support all three options in NSCA (on the Nagios side of things):

Code: Select all

#       14 = RIJNDAEL-128
#       15 = RIJNDAEL-192
#       16 = RIJNDAEL-256

The issue is with NSClient++, which is NOT our product.

I am going to do some more digging into this despite the fact that Sean already tested it. I am not using the latest version of NSClient++ though. I have 0.4.4.15.

[WillemDH]

The issue is with NSClient++, which is NOT our product.

I know this by now.. I'm not trying to blame anyone; I'm just looking for a way to achive 256 bit encryption. This is not something I need soon, but something that will be required in the coming years.

The issue is in fact this:

AES has a fixed block size of 128 bits and a key size of 128, 192, or 256 bits, whereas Rijndael can be specified with block and key sizes in any multiple of 32 bits, with a minimum of 128 bits and a maximum of 256 bits.

Looking forward to what you found out about this Ludmill. Please consider this very NON-urgent.

Grtz

Willem

[lmiltchev]

"very NON-urgent" it is.

I tested the use of "16 = RIJNDAEL-256" on Linux via outbound/inbound transfers between two Nagios XI machines. It worked just fine. Same option failed when used with NSClient++.

FYI, our developers are looking into this. Perhaps they can force the block size to be 128 bits, and use various key sizes on AES... not sure how they are going to handle this.

In any case, we can file a feature request for adding AES support on our end (unless you have information that NSClient++ will be adding Rijndael-192 and Rijndael-256 support).

[WillemDH]

Well as Michael added the 'won't fix' label, I fear he won't fix it.. https://github.com/mickem/nscp/issues/287

[lmiltchev]

I posted a feature request here: https://github.com/NagiosEnterprises/nsca/issues/5. Feel free to chime in. Thanks, Willem!