|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Message-ID: <00a701c103e9$4c499ac0$eb31f6d0@BOB> From: "Peder Angvall" <peder@angvall.com> To: <bugtraq@securityfocus.com> Date: Tue, 3 Jul 2001 12:55:08 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit From RFC 1994 (CHAP): "CHAP requires that the secret be available in plaintext form. Irreversably encrypted password databases commonly available cannot be used." Peder ----- Original Message ----- From: "Carson Gaspar" <carson@taltos.org> To: "Eric Vyncke" <evyncke@cisco.com>; <bugtraq@securityfocus.com> Sent: Monday, July 02, 2001 5:35 PM Subject: Re: Cisco Security Advisory: IOS HTTP authorization vulnerability > > > --On Friday, June 29, 2001 10:00 AM +0200 Eric Vyncke <evyncke@cisco.com> > wrote: > > > As you probably know, for some password (used notably for SNMP, CHAP, > > PAP, IKE, ...) there is a protocol need to get those passwords in the > > clear. Hence, the obfuscation mechanism will always be reversible. Even > > using 3DES will require a hard coded key hidden somewhere in the IOS > > code (and a 'simple' reverse engineering will expose this key). > > > > Of course, suggestions are welcome > > For CHAP, do you actually need the password in the clear, or do you need > the password+realm hash? The latter is far less dangerous. > > -- > Carson >
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |