[21262] in bugtraq
Re: Cisco Security Advisory: IOS HTTP authorization
daemon@ATHENA.MIT.EDU (Eric Vyncke)
Fri Jun 29 16:28:31 2001
Message-Id: <4.3.2.7.2.20010629095801.0c3e6a70@brussels.cisco.com>
Date: Fri, 29 Jun 2001 10:00:54 +0200
To: "David Hyams" <david.hyams@kmu-security.ch>
From: Eric Vyncke <evyncke@cisco.com>
Cc: <bugtraq@securityfocus.com>
In-Reply-To: <003c01c0ff57$ad7f1b80$0101010a@david>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 00:22 28/06/2001 +0200, David Hyams wrote:
...%<....%<.... lot of valid comments deleted ....
>* It's well known that the encryption algorithm for vty passwords is very
>weak. Numerous software tools exist to decrypt the vty password. Isn't it
>time to abandon this algorithm and implement a real encryption algorithm for
>ALL passwords (not just the "enable secret" command)? If an attacker can get
>the device config, then it's far too easy to decrypt the password (assuming
>of course that it is encrypted! See above)
>
David,
As you probably know, for some password (used notably for SNMP, CHAP, PAP,
IKE, ...) there is a protocol need to get those passwords in the clear.
Hence, the obfuscation mechanism will always be reversible. Even using 3DES
will require a hard coded key hidden somewhere in the IOS code (and a
'simple' reverse engineering will expose this key).
Of course, suggestions are welcome
Just my 0.01 BEF (still 6 months to live)
-eric
>regards
>
>David Hyams
>--
>david.hyams@kmu-security.ch
>http://www.kmu-security.ch
