A non-Cisco source has recently released a new program to decrypt user
passwords (and other passwords) in Cisco configuration files. The program
will not decrypt passwords set with the "enable secret" command.
The unexpected concern that this program has caused among Cisco customers
has led us to suspect that many customers are relying on Cisco password
encryption for more security than it was designed to provide. This document
explains the security model behind Cisco password encryption, and the
security limitations of that encryption.
User Passwords
- --------------
User passwords and most other passwords (*not* enable secrets) in Cisco IOS
configuration files are encrypted using a scheme that's very weak by modern
cryptographic standards.
Although Cisco does not distribute a decryption program, at least two
different decryption programs for Cisco IOS passwords are available to the
public on the Internet; the first public release of such a program of which
Cisco is aware was in early 1995. We would expect any amateur cryptographer
to be able to create a new program with no more than a few hours' work.
The scheme used by IOS for user passwords was never intended to resist a
determined, intelligent attack; it was designed to avoid casual
"over-the-shoulder" password theft. The threat model was someone reading a
password from an administrator's screen. The scheme was never supposed to
protect against someone conducting a determined analysis of the
configuration file.
Because of the weak encryption algorithm, it has always been Cisco's
position that customers should treat any configuration file containing
passwords as sensitive information, the same way they would treat a
cleartext list of passwords.
Enable Secret Passwords
- -----------------------
Enable secrets are hashed using the MD5 algorithm. As far as anyone at
Cisco knows, it is impossible to recover an enable secret based on the
contents of a configuration file (other than by obvious dictionary
attacks).
Note that this applies only to passwords set with "enable secret", *not*
to passwords set with "enable password". Indeed, the strength of the
encryption used is the only significant difference between the two
commands.
Other Passwords
- ---------------
Almost all passwords and other authentication strings in Cisco IOS
configuration files are encrypted using the weak, reversible scheme used
for user passwords. To determine which scheme has been used to encrypt a
specific password, check the digit preceding the encrypted string in the
configuration file. If that digit is a 7, the password has been encrypted
using the weak algorithm. If the digit is a 5, the password has been hashed
using the stronger MD5 algorithm.
For example, in the configuration command
enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP.
The enable secret has been hashed with MD5, whereas in the command
username jbash password 7 07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D
The password has been encrypted using the weak reversible algorithm.
Can the algorithm be changed?
- -----------------------------
Cisco has no immediate plans to support a stronger encryption algorithm for
IOS user passwords. Should Cisco decide to introduce such a feature in the
future, that feature will definitely impose an additional ongoing
administrative burden on users who choose to take advantage of it.
It is not, in the general case, possible to switch user passwords over to
the MD5-based algorithm used for enable secrets, because MD5 is a one-way
hash, and the password can't be recovered from the encrypted data at all.
In order to support certain authentication protocols (notably CHAP), the
system needs access to the clear text of user passwords, and therefore must
store them using a reversible algorithm.
Key management issues would make it a nontrivial task to switch over to a
stronger reversible algorithm, such as DES. Although it would be easy to
modify IOS to use DES to encrypt passwords, there would be no security
advantage in doing so if all IOS systems used the same DES key. If
different keys were used by different systems, an administrative burden
would be introduced for all IOS network administrators, and portability of
configuration files between systems would be damaged. Customer demand
for stronger reversible password encryption has been small.
November 10, 1997
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBNGen1wyPsuGbHvEpAQFYHwgAtIs5PykwbZ11H3kzKxpl67I4OX4Kngli
wKL7PHxbKMvB12l/oiFoTcrOqWXVWN6AQ3ObbkJ+GD02zHbW+5rU/2/dys86GQAi
MGBLS/7pKrb9oPjeI5P+ZZIGfaM/Cs6y6nRN2jeC2ZSglGmlsaWua0Sm+9ytvz1b
x730JE1yGybxnBHYGsonSpRNQ8xx8RKjG+HZ5gFROWkY/gsBeqiEcz/y+XJq0qwO
6ULpwAKVV9jld4m93ZJe3LzyjrOUM7+pk3UzNAZu1IfUoy1L3J/VfehbBc7BmMy7
0AylJwuhNd3mlCe3Vl0VgCG/qC/hjX+860QY9CWb411Nstc+pyjcqw==
=JdSr
-----END PGP SIGNATURE-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP for Personal Privacy 5.0
mQENAzPvjNgBbQEIANK7KlAHQsajB9t0ddYhrZNmaOnyPL8T5JZRDq7uSf3HfXZ9
gcE+DU3/2/TuCa7l/P0fblpUtxOo2FScjdg6Zd/V+8FH++wfH7GP+M2lJIw1N/UN
hLfqUe7RJZtAvAb2VRpA3pV816ngk0H7tb2RyAsu3H7MvwTDZaZ/dzhM/40uDz2b
OUjkaoxC/cKLsP+ODLydPK3XPzjq9XipC3AX8zDLbjAMSyNTpQP4c2NvIf6X4Q4Q
D+yZJu0dYA8i/QC2F9cb4sT6fKtoRENwVLQhHwkxwKLqmyokLLOZ7QvQw1Rqs8ZU
E4o5OFdf0XvqW2+C1+CWQ5Z987ZHDI+y4Zse8SkABRG0R0Npc2NvIFN5c3RlbXMg
UHJvZHVjdCBTZWN1cml0eSBJbmNpZGVudCBSZXNwb25zZSBUZWFtIDxwc2lydEBj
aXNjby5jb20+iQEVAwUQM++M2AyPsuGbHvEpAQFlYwgAk9yGvvH1Rsz3dQAgbzBR
iA68u5YYX/b8/n5aTrtxK1Z9KltjdDjcU/rv2fqmwhsc9Q2JYE1re/iiUUuxTTXc
xCdnLfZ75w6P7v1XaE8HbaXvUbYmFuKxvhzI6gnZ3OWEqVQ/P1RB7zzSwHtvMAOm
rkty+vFz8g432tDeU/WEif0PAeNassVjIBE3mSFcnoF9PwR7+983oLI+QUTz+KZ3
po7r7ETFXBaie8MY5vMo2a0ds6GUsrMVpFiJ2zruSCJQJvVVoe9VT9pg92fHw6vS
YZBf6jcPd+3kUjAcAZQj5Jkuo5QtDc+JpCs6A4JS+nk2UPYisFOfxHjR2bv396ym
lYkAPwMFEDPvjPSWgad8PVLgfxEC85sAoLW7FY3dWWXLiZD6FbN3G81/SYm2AKC3
EPPlj+zNMt83UlBIR06BWOhPmYkAPwMFEDPvjehhWBbFOs5V/hEChMsAoIHN2sJN
Nso+kYr3G2BZ90KJ++7HAJ9vQkdJRwI7HSyL+iyfQS3YV4ivKYkAlQMFEDPvuil3
prw+JwB2/QEBujkEAKvxs8A5OMk/TD8tuQMATILDxnj0ZGepAV0wbJjJx8bYQ54s
hF6r4OlyWEVPOn9sMn81QyWOeaprpJfYWgqntyJ8aO4Mh2gfI4uKzKn5hJ9n424g
L3cOcJUKmARBGFgL4gB6QZU6k+52qubv08gHYBDUTpxbtYy09/bieET6Tu6NiQB1
AwUQM/DnKABQXdL3LtV5AQEB1gMAntCpluUCoH9Spn+4RBKQU9qVYjZL9ye7Qd9z
8uKIUGM7VFMD/ECavREEd6ggYFCX2t1YV1j6805+oROx/xhxCe4OSG2PX6NQx3Mc
hMWgQSiBKFikfxXcbDTwU4HGk/U8iQCVAwUQM/Dk3Rim+KqOZxohAQFO0AP+PkRZ
AMsuGJ62XOmO27ZwoB1yMB+LahS9zWlVUuCrBs0NloC0Uc9aydw+tWqr5PU8972O
ZmMI1mPnjsAao7hJeVFEKmNpJ+nPFx56fmO138D6h+1eYYsXMEkx4FNHYmr/hP9R
T7JuqFChB4eHAtL37GDo6pUqIpRdbI6imU+TGWSJAJUDBRAz8OmMetUtBpz0lbkB
AZnqA/9Vcjr5qpxELEwYmJhBih4Eha0bPebxDpT/wDQlWF8KQVT+dVa4/kXDZDSQ
EOcV+Q+Z0YAxqFFaWHI1CYr2pR+jDqzxxdsxvwLPaJ2Yq2vnb/UozPzCYXaRr8dK
E2LaRpUIe/frpaKggGfT+HP35WWSAkS4yP91I+9xw2xAHC7F/IkAPwMFEDPw8Uu4
sEdhxJFDBxECSu4An0Vs1WvZhg1+F9gXVAdWeZeQwjPjAJ9kiB4mUt6PeE1Yafo0
y9h1h25z44kAlQMFEDPw6arUWbxRv7Y9YQEBrGYD/AyYF/uH6EJVZww/oASl5pxt
2Q9YR5Kb60f7RsMOi48SgIV0lrUCk8rEN7HiEMlMSzjqtCuAPbxc85ltYA2V8GMB
uz16DZ+LshmN2Bdo5HvlJ7oONRfTznAaeKVH40MYI+4oj0Z+mXbhIT48OkQUaWAx
+XxdzLufxNNU8oForJ/FiQEVAwUQM/NXXx9quvkcD7cJAQHDZwgAkh5R/OS8SzEV
WOOlnUPSaI/PNPSeKdEOOvU5K6u8DMsb/M5775fg9paCGi+UngRiL3xWjykJzfrp
94F/0d4PpdkcQUEao6+uZBgIbDK9S/W0bDAFCgCnwy20JPXxJgdikQb0GLBzP+31
WHl4JSMXTuNAFJ8z7Uc/a2JWe3QZ+w8uZP5IyASimYYLu+19Hxo4fYT/bOOQ975z
arCgaDO6b4HU68GG3WqytmuBj6Vpu1x5Ia9cNpxgPmtM4wg83zmx06fDTGN89EYH
rt7dluxCBesxPhUsmZn071Xdq1zMYIzHns4jxwCREp5kNMtPsUKA8dSA4UO2BdkO
q5IX6scTOokAPwMFEDPyrMUi3EpiOkv3cBECgNEAn0dTtLw0NDPHn/XPgxz8jcnR
szjkAJ0bHBmB26616zdcrgPZrYtvac9gVYkAlQMFEDPxEE1/tdR0mmHbCQEBO2YE
APGeRsytUHeL7tUbdDgLmz6fcroNkJk6sjQLAw0HYqnHbwhfXCvFQmAb00Whw4xQ
cSXej3JUJSwXDyEJ5AhOD3IdTkKJnJA81xJzYJXhp8kJTF09M5voB5eZg1Fp0bcE
w3a2MXy3SWRWfJ7SSA2De7dBpf2oOZeI9AuRltHfVmKPtFBDaXNjbyBTeXN0ZW1z
IHByb2R1Y3Qgc2VjdXJpdHkgaW5jaWRlbnQvYnVnIHJlcG9ydGluZyA8c2VjdXJp
dHktYWxlcnRAY2lzY28uY29tPokBFQMFEDPvjV0Mj7Lhmx7xKQEBCCsH/3i8JxEV
xwj+F/fff2lCRDD83fJTGhYNYvOACxYaRSs1hwZ1pAWSLUzN+cc3Iqub+dT9zgbu
brHFP8kYB5oPxEh92myV7d0ijLI82RNc7yrql9MI2H9yIYdgrT2aP98KbGulxri3
U9HQ1AnVPE43eu8F96fgiOggRqDKi7lWP9ADvcaKO3a1aDk/X2EO1I0jSJMTfZ1c
yMlpmrnTs3i5x2lX+42GHjpgA3tWGlTN6DFWa5k2dU7TzE3dKL1qz5Zdu81WMdT4
xDbk2Q6Z8rGu2oKA+YXprSlF0dBsG3qFTKSFgnHijTT4fJI2+gebEzpe8vGUf4FJ
XQmjZ+bG2dTdUKyJAD8DBRAz7410loGnfD1S4H8RAqdjAJ9VVM6GixYnpOpZMvvp
uKk3OHowKACfQxP/Dcmqg5KtDPnd6hHMaVbEBAaJAD8DBRAz7435YVgWxTrOVf4R
AhkwAKDWgIbBaQ/qoR9F/CMhmpYztcsMBwCg2DThE7h3j5HGvsiwy8MsZZmLq5mJ
AJUDBRAz77opd6a8PicAdv0BAXKbA/9uZcSak/u41uFuow5uwkydjkfHz7XRFK49
HX7ozwoJbVydzlURMIOvbwpf6ws/bFTyhM1RRG3b5E5o4psXoNWowXG+uNkmTLhX
IBOtH4TcjbLXspLWUiNtBNlJ2dDKxit9ye1Z/9cTwpfaNyAmtb0aPBN4sZ8r6Bmg
d44Vx0nSL4kAlQMFEDPw5OoYpviqjmcaIQEBJ/UEALXebkpbO3GE/jGb41qzMcoT
VXt3kqh1mY1yJloPEllXstP1yO83uczLfPhhKUKAGg/WZS5eFrYTRvIqu2HZ7F0P
fTqqReKUUr7GFb+QUTzt178DQzfIyTHT+43CIMF6NPGbdWFkwzMaUjXBewEX2eTN
g1fRSoYC64rPvSEXFnnpiQCVAwUQM/Dpk3rVLQac9JW5AQHcZgQAqveziPJciVrz
danmUHGt8La2rl1qXoYtYAcS51gVD2Dxle/J1SIvyRWysTE0+s8X+zgw71zQXm54
KUKdoFTvEyerc65NnVVCgPUpNN8/H0XUpNd1oZ2KKIzz3mxQbVwa50sRKvYBFUo9
mUfbv+alFK4yrWaqAF3Dx38KiQrqOa2JAD8DBRAz8PHwuLBHYcSRQwcRAu+bAJoD
EDaxddtU35mekCglNjbHLmOR+gCgiYpy0fB8JtNJE0k3xQDuW0H8uG2JAJUDBRAz
8Om31Fm8Ub+2PWEBASbZA/9wYDYTmvtoSuvI0yOITGgmh8kSCOMAmXikhI6ASZy8
GhkPX7OY2ybX2Iw7XXApL0mcuDr13Fm+xrt9TymyYAbRnmPjbPn1GoYVM/orN+R/
t/mblfdb+eklvMKnChA7eNFfYNUz+V+lRPkH156EnBXYwmzlYsKEerGjxJLoyQEr
sokAPwMFEDPyrNgi3EpiOkv3cBECoIcAnjmNq8NznK0HYgwicWYUjDAmte6QAKCK
6txKW+VHWRJ2cSf2maRkf0TmmokAlQMFEDPxEHR/tdR0mmHbCQEBigQD/i0ZA1Qs
FjQqQABTmoOqLt0phX8Q9fakXyz245Zt5y5OsGL20lwVadVVzESZHZgl0sTHtL6N
a8QjKC+uqlbrch60oInzzzegGDTyk0zVMeaNApOcV3+D1qMvHH78qyibXf8A4uEc
n1jrGTWClQH9SLW2bHtuNyArIDAHbs2S4MoKmQGhBDPvjDARBAD82RXM1EyVSEpL
6mpDMyxI8Scc22yVqRYL+Ckv0SXHEPaZNIgQblVx32jyfnmGIZeVYK2sDRTB6vXJ
t1k+R5HRRhTG7fB0f309gT/Zgmk64zC7L4nLQp6fNEVJLfxRdrwXCOPfBf56Y8vK
BFZSvwK4qLNHurMP2MVUuYfCl2UpHwCg/6WzFTHW34HvDKgD+3k0ap0lMq8EAME9
i5IEdwTnGO2zsyyc/gw6QKoSGNEkbGmciZukAQTulVKQpYMv1jIm6Uy91HbsR0mU
WxPzCBPCvJzvZOW0O+AJq4m/h1dQD2kdIHt+nYAdfZjY26YUpB6gfFmQucGhH/o8
GfhkmN6Lw21+gx4lctfia2/46poasCNo961yKyuQA/ID6qpHargBoOk2n/av9jV1
Rox8vhYVGwQhmVpYVUMzdw8ldo3CejaqyW97IyOU7tZo4WUzJ2Z3sG0DHdim+Voe
Djb5hsd34MzoGL7KjRFGldbNr2H/DhmItLyzxJ5YXgMXNGy3IhfOjCwZsGhZ1eTd
dxbD7rb7+VN/ROhTpCSXtEdDaXNjbyBTeXN0ZW1zIFByb2R1Y3QgU2VjdXJpdHkg
SW5jaWRlbnQgUmVzcG9uc2UgVGVhbSA8cHNpcnRAY2lzY28uY29tPrRQQ2lzY28g
U3lzdGVtcyBwcm9kdWN0IHNlY3VyaXR5IGluY2lkZW50L2J1ZyByZXBvcnRpbmcg
PHNlY3VyaXR5LWFsZXJ0QGNpc2NvLmNvbT65Ag0EM++MTxAIANfnEviV6GSqF/7S
MetsaCkKUe/TmcEtoYRdE9ZorvLlruvSaFHMgXCg4SqyC689BJJBaKN2MTYIV0T3
idlbHp4mXHDyU28tTEFenA9m4ER0PxEO/wITI3XoOO7SCxUnxyvxPy8Jn9PYBHMp
F+iWqUbzLsX4tZI7LJj73i0vi+5tGNaBBFu4cD2UJis7lb/CSK7bb4RJ6lHYVWHt
bcFApwSRheeusvN0YwKpPg5hy6gwaUSKtddJDadcJcQ/G2I820onsqgYRfDncEBY
uLavuu2h5CuR+Qz6jrwNUAX1f6UxC2WYY7tsp+wzQJ9VuTnKQEFPc6GIoiSSeyV3
KibzVZ8AAgIIAKDBdTFi6kQSB1+x7XQgQ8SNL0HFjtr25TMJr/eeU6m1NkrtCVg3
llA+lhTmpork6ZDu3GXp/IW02o246G57Z23pHU1VkEwjsWl1sdUY5QH+wIV6uZJu
bZW1TroDI86l0m7WeWC+mqQXn6GuvkX+YpF5qU1OCY9Pnen6sWkYXiqE5LW3USyY
xglTac8EQqcs3JYevV1/M6oTWXdMSEDV2/Bqd9g5qZBYQFkkftdW6YsJPMGgn2EI
yu4kTyazk3UafH/yqemCbGX6S5j3krCoIMwfUpeOHPB1OxACLB0loA2cwCpq5p7W
hXUCyRuqdXYN50NUrmKDo8+hsL/e89PofQU=
=AsFg
-----END PGP PUBLIC KEY BLOCK-----