mailing list archives
Re: Cisco Security Advisory: IOS HTTP authorization vulnerability
From: Eric Vyncke <evyncke () cisco com>
Date: Fri, 29 Jun 2001 10:00:54 +0200
At 00:22 28/06/2001 +0200, David Hyams wrote:
...%<....%<.... lot of valid comments deleted ....
* It's well known that the encryption algorithm for vty passwords is very
weak. Numerous software tools exist to decrypt the vty password. Isn't it
time to abandon this algorithm and implement a real encryption algorithm for
ALL passwords (not just the "enable secret" command)? If an attacker can get
the device config, then it's far too easy to decrypt the password (assuming
of course that it is encrypted! See above)
As you probably know, for some password (used notably for SNMP, CHAP, PAP,
IKE, ...) there is a protocol need to get those passwords in the clear.
Hence, the obfuscation mechanism will always be reversible. Even using 3DES
will require a hard coded key hidden somewhere in the IOS code (and a
'simple' reverse engineering will expose this key).
Of course, suggestions are welcome
Just my 0.01 BEF (still 6 months to live)
david.hyams () kmu-security ch