[18709] in cryptography@c2.net mail archive
Re: Cisco VPN password recovery program
daemon@ATHENA.MIT.EDU (Florian Weimer)
Thu Oct 20 16:36:46 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: Florian Weimer <fw@deneb.enyo.de>
To: "Perry E. Metzger" <perry@piermont.com>
Cc: cryptography@metzdowd.com
Date: Thu, 20 Oct 2005 21:29:01 +0200
In-Reply-To: <87u0fdzikg.fsf@snark.piermont.com> (Perry E. Metzger's message
of "Wed, 19 Oct 2005 10:29:19 -0400")
* Perry E. Metzger:
> Via cryptome:
>
> http://evilscientists.de/blog/?page_id=343
>
> The Cisco VPN Client uses weak encryption to store user and group
> passwords in your local profile file. I coded a little tool to
> reveal the saved passwords from a given profile file.
>
> If this is true, it doesn't sound like Cisco used a particularly smart
> design for this.
Why? In essence, this is the PSK that is used to authenticate the VPN
gateway. It must be available in cleartext on the client.
(Later versions offer asymmetric encryption as well.)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
