Re: Cisco IOS password encryption facts

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: rene@NS.VIA.NL: "Re: L0pht Advisory: IE4.0"
• Previous message: Ralf Rudolph: "Intel Pentium Bug: Workaround (1st lvl cache)"
• Maybe in reply to: John Bashinski: "Cisco IOS password encryption facts"
• Next in thread: J. Sean Connell: "Re: Cisco IOS password encryption facts"

And I would hope that would be configured using enable-secret.

But even if you were using level 7 encryption for your maint passwd, a maintenance mode user is rather limited in what he can do...

>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> A non-Cisco source has recently released a new program to decrypt user
> passwords (and other passwords) in Cisco configuration files. The program
> will not decrypt passwords set with the "enable secret" command.
>
> The unexpected concern that this program has caused among Cisco customers
> has led us to suspect that many customers are relying on Cisco password
> encryption for more security than it was designed to provide. This document
> explains the security model behind Cisco password encryption, and the
> security limitations of that encryption.
>
> User Passwords
> - --------------
> User passwords and most other passwords (*not* enable secrets) in Cisco IOS
> configuration files are encrypted using a scheme that's very weak by modern
> cryptographic standards.
>
> Although Cisco does not distribute a decryption program, at least two
> different decryption programs for Cisco IOS passwords are available to the
> public on the Internet; the first public release of such a program of which
> Cisco is aware was in early 1995. We would expect any amateur cryptographer
> to be able to create a new program with no more than a few hours' work.
>
> The scheme used by IOS for user passwords was never intended to resist a
> determined, intelligent attack; it was designed to avoid casual
> "over-the-shoulder" password theft. The threat model was someone reading a
> password from an administrator's screen. The scheme was never supposed to
> protect against someone conducting a determined analysis of the
> configuration file.
>
> Because of the weak encryption algorithm, it has always been Cisco's
> position that customers should treat any configuration file containing
> passwords as sensitive information, the same way they would treat a
> cleartext list of passwords.
>
> Enable Secret Passwords
> - -----------------------
> Enable secrets are hashed using the MD5 algorithm. As far as anyone at
> Cisco knows, it is impossible to recover an enable secret based on the
> contents of a configuration file (other than by obvious dictionary
> attacks).
>
> Note that this applies only to passwords set with "enable secret", *not*
> to passwords set with "enable password". Indeed, the strength of the
> encryption used is the only significant difference between the two
> commands.
>
> Other Passwords
> - ---------------
> Almost all passwords and other authentication strings in Cisco IOS
> configuration files are encrypted using the weak, reversible scheme used
> for user passwords. To determine which scheme has been used to encrypt a
> specific password, check the digit preceding the encrypted string in the
> configuration file. If that digit is a 7, the password has been encrypted
> using the weak algorithm. If the digit is a 5, the password has been hashed
> using the stronger MD5 algorithm.
>
> For example, in the configuration command
>
> enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP.
>
> The enable secret has been hashed with MD5, whereas in the command
>
> username jbash password 7 07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D
>
> The password has been encrypted using the weak reversible algorithm.
>
> Can the algorithm be changed?
> - -----------------------------
> Cisco has no immediate plans to support a stronger encryption algorithm for
> IOS user passwords. Should Cisco decide to introduce such a feature in the
> future, that feature will definitely impose an additional ongoing
> administrative burden on users who choose to take advantage of it.
>
> It is not, in the general case, possible to switch user passwords over to
> the MD5-based algorithm used for enable secrets, because MD5 is a one-way
> hash, and the password can't be recovered from the encrypted data at all.
> In order to support certain authentication protocols (notably CHAP), the
> system needs access to the clear text of user passwords, and therefore must
> store them using a reversible algorithm.
>
> Key management issues would make it a nontrivial task to switch over to a
> stronger reversible algorithm, such as DES. Although it would be easy to
> modify IOS to use DES to encrypt passwords, there would be no security
> advantage in doing so if all IOS systems used the same DES key. If
> different keys were used by different systems, an administrative burden
> would be introduced for all IOS network administrators, and portability of
> configuration files between systems would be damaged. Customer demand
> for stronger reversible password encryption has been small.
>
> November 10, 1997
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP for Personal Privacy 5.0
> Charset: noconv
>
> iQEVAwUBNGen1wyPsuGbHvEpAQFYHwgAtIs5PykwbZ11H3kzKxpl67I4OX4Kngli
> wKL7PHxbKMvB12l/oiFoTcrOqWXVWN6AQ3ObbkJ+GD02zHbW+5rU/2/dys86GQAi
> MGBLS/7pKrb9oPjeI5P+ZZIGfaM/Cs6y6nRN2jeC2ZSglGmlsaWua0Sm+9ytvz1b
> x730JE1yGybxnBHYGsonSpRNQ8xx8RKjG+HZ5gFROWkY/gsBeqiEcz/y+XJq0qwO
> 6ULpwAKVV9jld4m93ZJe3LzyjrOUM7+pk3UzNAZu1IfUoy1L3J/VfehbBc7BmMy7
> 0AylJwuhNd3mlCe3Vl0VgCG/qC/hjX+860QY9CWb411Nstc+pyjcqw==
> =JdSr
> -----END PGP SIGNATURE-----
>
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: PGP for Personal Privacy 5.0
>
> mQENAzPvjNgBbQEIANK7KlAHQsajB9t0ddYhrZNmaOnyPL8T5JZRDq7uSf3HfXZ9
> gcE+DU3/2/TuCa7l/P0fblpUtxOo2FScjdg6Zd/V+8FH++wfH7GP+M2lJIw1N/UN
> hLfqUe7RJZtAvAb2VRpA3pV816ngk0H7tb2RyAsu3H7MvwTDZaZ/dzhM/40uDz2b
> OUjkaoxC/cKLsP+ODLydPK3XPzjq9XipC3AX8zDLbjAMSyNTpQP4c2NvIf6X4Q4Q
> D+yZJu0dYA8i/QC2F9cb4sT6fKtoRENwVLQhHwkxwKLqmyokLLOZ7QvQw1Rqs8ZU
> E4o5OFdf0XvqW2+C1+CWQ5Z987ZHDI+y4Zse8SkABRG0R0Npc2NvIFN5c3RlbXMg
> UHJvZHVjdCBTZWN1cml0eSBJbmNpZGVudCBSZXNwb25zZSBUZWFtIDxwc2lydEBj
> aXNjby5jb20+iQEVAwUQM++M2AyPsuGbHvEpAQFlYwgAk9yGvvH1Rsz3dQAgbzBR
> iA68u5YYX/b8/n5aTrtxK1Z9KltjdDjcU/rv2fqmwhsc9Q2JYE1re/iiUUuxTTXc
> xCdnLfZ75w6P7v1XaE8HbaXvUbYmFuKxvhzI6gnZ3OWEqVQ/P1RB7zzSwHtvMAOm
> rkty+vFz8g432tDeU/WEif0PAeNassVjIBE3mSFcnoF9PwR7+983oLI+QUTz+KZ3
> po7r7ETFXBaie8MY5vMo2a0ds6GUsrMVpFiJ2zruSCJQJvVVoe9VT9pg92fHw6vS
> YZBf6jcPd+3kUjAcAZQj5Jkuo5QtDc+JpCs6A4JS+nk2UPYisFOfxHjR2bv396ym
> lYkAPwMFEDPvjPSWgad8PVLgfxEC85sAoLW7FY3dWWXLiZD6FbN3G81/SYm2AKC3
> EPPlj+zNMt83UlBIR06BWOhPmYkAPwMFEDPvjehhWBbFOs5V/hEChMsAoIHN2sJN
> Nso+kYr3G2BZ90KJ++7HAJ9vQkdJRwI7HSyL+iyfQS3YV4ivKYkAlQMFEDPvuil3
> prw+JwB2/QEBujkEAKvxs8A5OMk/TD8tuQMATILDxnj0ZGepAV0wbJjJx8bYQ54s
> hF6r4OlyWEVPOn9sMn81QyWOeaprpJfYWgqntyJ8aO4Mh2gfI4uKzKn5hJ9n424g
> L3cOcJUKmARBGFgL4gB6QZU6k+52qubv08gHYBDUTpxbtYy09/bieET6Tu6NiQB1
> AwUQM/DnKABQXdL3LtV5AQEB1gMAntCpluUCoH9Spn+4RBKQU9qVYjZL9ye7Qd9z
> 8uKIUGM7VFMD/ECavREEd6ggYFCX2t1YV1j6805+oROx/xhxCe4OSG2PX6NQx3Mc
> hMWgQSiBKFikfxXcbDTwU4HGk/U8iQCVAwUQM/Dk3Rim+KqOZxohAQFO0AP+PkRZ
> AMsuGJ62XOmO27ZwoB1yMB+LahS9zWlVUuCrBs0NloC0Uc9aydw+tWqr5PU8972O
> ZmMI1mPnjsAao7hJeVFEKmNpJ+nPFx56fmO138D6h+1eYYsXMEkx4FNHYmr/hP9R
> T7JuqFChB4eHAtL37GDo6pUqIpRdbI6imU+TGWSJAJUDBRAz8OmMetUtBpz0lbkB
> AZnqA/9Vcjr5qpxELEwYmJhBih4Eha0bPebxDpT/wDQlWF8KQVT+dVa4/kXDZDSQ
> EOcV+Q+Z0YAxqFFaWHI1CYr2pR+jDqzxxdsxvwLPaJ2Yq2vnb/UozPzCYXaRr8dK
> E2LaRpUIe/frpaKggGfT+HP35WWSAkS4yP91I+9xw2xAHC7F/IkAPwMFEDPw8Uu4
> sEdhxJFDBxECSu4An0Vs1WvZhg1+F9gXVAdWeZeQwjPjAJ9kiB4mUt6PeE1Yafo0
> y9h1h25z44kAlQMFEDPw6arUWbxRv7Y9YQEBrGYD/AyYF/uH6EJVZww/oASl5pxt
> 2Q9YR5Kb60f7RsMOi48SgIV0lrUCk8rEN7HiEMlMSzjqtCuAPbxc85ltYA2V8GMB
> uz16DZ+LshmN2Bdo5HvlJ7oONRfTznAaeKVH40MYI+4oj0Z+mXbhIT48OkQUaWAx
> +XxdzLufxNNU8oForJ/FiQEVAwUQM/NXXx9quvkcD7cJAQHDZwgAkh5R/OS8SzEV
> WOOlnUPSaI/PNPSeKdEOOvU5K6u8DMsb/M5775fg9paCGi+UngRiL3xWjykJzfrp
> 94F/0d4PpdkcQUEao6+uZBgIbDK9S/W0bDAFCgCnwy20JPXxJgdikQb0GLBzP+31
> WHl4JSMXTuNAFJ8z7Uc/a2JWe3QZ+w8uZP5IyASimYYLu+19Hxo4fYT/bOOQ975z
> arCgaDO6b4HU68GG3WqytmuBj6Vpu1x5Ia9cNpxgPmtM4wg83zmx06fDTGN89EYH
> rt7dluxCBesxPhUsmZn071Xdq1zMYIzHns4jxwCREp5kNMtPsUKA8dSA4UO2BdkO
> q5IX6scTOokAPwMFEDPyrMUi3EpiOkv3cBECgNEAn0dTtLw0NDPHn/XPgxz8jcnR
> szjkAJ0bHBmB26616zdcrgPZrYtvac9gVYkAlQMFEDPxEE1/tdR0mmHbCQEBO2YE
> APGeRsytUHeL7tUbdDgLmz6fcroNkJk6sjQLAw0HYqnHbwhfXCvFQmAb00Whw4xQ
> cSXej3JUJSwXDyEJ5AhOD3IdTkKJnJA81xJzYJXhp8kJTF09M5voB5eZg1Fp0bcE
> w3a2MXy3SWRWfJ7SSA2De7dBpf2oOZeI9AuRltHfVmKPtFBDaXNjbyBTeXN0ZW1z
> IHByb2R1Y3Qgc2VjdXJpdHkgaW5jaWRlbnQvYnVnIHJlcG9ydGluZyA8c2VjdXJp
> dHktYWxlcnRAY2lzY28uY29tPokBFQMFEDPvjV0Mj7Lhmx7xKQEBCCsH/3i8JxEV
> xwj+F/fff2lCRDD83fJTGhYNYvOACxYaRSs1hwZ1pAWSLUzN+cc3Iqub+dT9zgbu
> brHFP8kYB5oPxEh92myV7d0ijLI82RNc7yrql9MI2H9yIYdgrT2aP98KbGulxri3
> U9HQ1AnVPE43eu8F96fgiOggRqDKi7lWP9ADvcaKO3a1aDk/X2EO1I0jSJMTfZ1c
> yMlpmrnTs3i5x2lX+42GHjpgA3tWGlTN6DFWa5k2dU7TzE3dKL1qz5Zdu81WMdT4
> xDbk2Q6Z8rGu2oKA+YXprSlF0dBsG3qFTKSFgnHijTT4fJI2+gebEzpe8vGUf4FJ
> XQmjZ+bG2dTdUKyJAD8DBRAz7410loGnfD1S4H8RAqdjAJ9VVM6GixYnpOpZMvvp
> uKk3OHowKACfQxP/Dcmqg5KtDPnd6hHMaVbEBAaJAD8DBRAz7435YVgWxTrOVf4R
> AhkwAKDWgIbBaQ/qoR9F/CMhmpYztcsMBwCg2DThE7h3j5HGvsiwy8MsZZmLq5mJ
> AJUDBRAz77opd6a8PicAdv0BAXKbA/9uZcSak/u41uFuow5uwkydjkfHz7XRFK49
> HX7ozwoJbVydzlURMIOvbwpf6ws/bFTyhM1RRG3b5E5o4psXoNWowXG+uNkmTLhX
> IBOtH4TcjbLXspLWUiNtBNlJ2dDKxit9ye1Z/9cTwpfaNyAmtb0aPBN4sZ8r6Bmg
> d44Vx0nSL4kAlQMFEDPw5OoYpviqjmcaIQEBJ/UEALXebkpbO3GE/jGb41qzMcoT
> VXt3kqh1mY1yJloPEllXstP1yO83uczLfPhhKUKAGg/WZS5eFrYTRvIqu2HZ7F0P
> fTqqReKUUr7GFb+QUTzt178DQzfIyTHT+43CIMF6NPGbdWFkwzMaUjXBewEX2eTN
> g1fRSoYC64rPvSEXFnnpiQCVAwUQM/Dpk3rVLQac9JW5AQHcZgQAqveziPJciVrz
> danmUHGt8La2rl1qXoYtYAcS51gVD2Dxle/J1SIvyRWysTE0+s8X+zgw71zQXm54
> KUKdoFTvEyerc65NnVVCgPUpNN8/H0XUpNd1oZ2KKIzz3mxQbVwa50sRKvYBFUo9
> mUfbv+alFK4yrWaqAF3Dx38KiQrqOa2JAD8DBRAz8PHwuLBHYcSRQwcRAu+bAJoD
> EDaxddtU35mekCglNjbHLmOR+gCgiYpy0fB8JtNJE0k3xQDuW0H8uG2JAJUDBRAz
> 8Om31Fm8Ub+2PWEBASbZA/9wYDYTmvtoSuvI0yOITGgmh8kSCOMAmXikhI6ASZy8
> GhkPX7OY2ybX2Iw7XXApL0mcuDr13Fm+xrt9TymyYAbRnmPjbPn1GoYVM/orN+R/
> t/mblfdb+eklvMKnChA7eNFfYNUz+V+lRPkH156EnBXYwmzlYsKEerGjxJLoyQEr
> sokAPwMFEDPyrNgi3EpiOkv3cBECoIcAnjmNq8NznK0HYgwicWYUjDAmte6QAKCK
> 6txKW+VHWRJ2cSf2maRkf0TmmokAlQMFEDPxEHR/tdR0mmHbCQEBigQD/i0ZA1Qs
> FjQqQABTmoOqLt0phX8Q9fakXyz245Zt5y5OsGL20lwVadVVzESZHZgl0sTHtL6N
> a8QjKC+uqlbrch60oInzzzegGDTyk0zVMeaNApOcV3+D1qMvHH78qyibXf8A4uEc
> n1jrGTWClQH9SLW2bHtuNyArIDAHbs2S4MoKmQGhBDPvjDARBAD82RXM1EyVSEpL
> 6mpDMyxI8Scc22yVqRYL+Ckv0SXHEPaZNIgQblVx32jyfnmGIZeVYK2sDRTB6vXJ
> t1k+R5HRRhTG7fB0f309gT/Zgmk64zC7L4nLQp6fNEVJLfxRdrwXCOPfBf56Y8vK
> BFZSvwK4qLNHurMP2MVUuYfCl2UpHwCg/6WzFTHW34HvDKgD+3k0ap0lMq8EAME9
> i5IEdwTnGO2zsyyc/gw6QKoSGNEkbGmciZukAQTulVKQpYMv1jIm6Uy91HbsR0mU
> WxPzCBPCvJzvZOW0O+AJq4m/h1dQD2kdIHt+nYAdfZjY26YUpB6gfFmQucGhH/o8
> GfhkmN6Lw21+gx4lctfia2/46poasCNo961yKyuQA/ID6qpHargBoOk2n/av9jV1
> Rox8vhYVGwQhmVpYVUMzdw8ldo3CejaqyW97IyOU7tZo4WUzJ2Z3sG0DHdim+Voe
> Djb5hsd34MzoGL7KjRFGldbNr2H/DhmItLyzxJ5YXgMXNGy3IhfOjCwZsGhZ1eTd
> dxbD7rb7+VN/ROhTpCSXtEdDaXNjbyBTeXN0ZW1zIFByb2R1Y3QgU2VjdXJpdHkg
> SW5jaWRlbnQgUmVzcG9uc2UgVGVhbSA8cHNpcnRAY2lzY28uY29tPrRQQ2lzY28g
> U3lzdGVtcyBwcm9kdWN0IHNlY3VyaXR5IGluY2lkZW50L2J1ZyByZXBvcnRpbmcg
> PHNlY3VyaXR5LWFsZXJ0QGNpc2NvLmNvbT65Ag0EM++MTxAIANfnEviV6GSqF/7S
> MetsaCkKUe/TmcEtoYRdE9ZorvLlruvSaFHMgXCg4SqyC689BJJBaKN2MTYIV0T3
> idlbHp4mXHDyU28tTEFenA9m4ER0PxEO/wITI3XoOO7SCxUnxyvxPy8Jn9PYBHMp
> F+iWqUbzLsX4tZI7LJj73i0vi+5tGNaBBFu4cD2UJis7lb/CSK7bb4RJ6lHYVWHt
> bcFApwSRheeusvN0YwKpPg5hy6gwaUSKtddJDadcJcQ/G2I820onsqgYRfDncEBY
> uLavuu2h5CuR+Qz6jrwNUAX1f6UxC2WYY7tsp+wzQJ9VuTnKQEFPc6GIoiSSeyV3
> KibzVZ8AAgIIAKDBdTFi6kQSB1+x7XQgQ8SNL0HFjtr25TMJr/eeU6m1NkrtCVg3
> llA+lhTmpork6ZDu3GXp/IW02o246G57Z23pHU1VkEwjsWl1sdUY5QH+wIV6uZJu
> bZW1TroDI86l0m7WeWC+mqQXn6GuvkX+YpF5qU1OCY9Pnen6sWkYXiqE5LW3USyY
> xglTac8EQqcs3JYevV1/M6oTWXdMSEDV2/Bqd9g5qZBYQFkkftdW6YsJPMGgn2EI
> yu4kTyazk3UafH/yqemCbGX6S5j3krCoIMwfUpeOHPB1OxACLB0loA2cwCpq5p7W
> hXUCyRuqdXYN50NUrmKDo8+hsL/e89PofQU=
> =AsFg
> -----END PGP PUBLIC KEY BLOCK-----
>

--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
      ice9@paranoia.com      http://www.paranoia.com/~ice9
My opinion may not reflect that of any living person, but its the
only one that counts!!
                      main() {for(;;fork());}
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

• Next message: rene@NS.VIA.NL: "Re: L0pht Advisory: IE4.0"
• Previous message: Ralf Rudolph: "Intel Pentium Bug: Workaround (1st lvl cache)"
• Maybe in reply to: John Bashinski: "Cisco IOS password encryption facts"
• Next in thread: J. Sean Connell: "Re: Cisco IOS password encryption facts"