Re: CISCO MD5 encryption

[Security Manager <security () virtusec net>]

Cesar,
You raise, in my opinion a different point to consider, namely 
maintaining confidentiality when sharing the hash.  Many of the posts, 
mine included examined someone first having to get your hashed password, 
I didn't seen anything about sharing that hash.

So....

Your organization should establish policies for sharing confidential 
information.  Over the years I've had to provide switch, router and 
firewall configs to auditors as part of our yearly certification 
process.  Many data points were purposely excluded from the configs that 
were handed over, including password hashes, local AAA details, SNMP 
strings, interface descriptions and even IP addresses.  Our position was 
this data can be very useful to a hacker and if improperly handled could 
expose us unnecessarily.

For what it is worth I would suggest you determine what data points you 
would consider confidential and remove or obfuscate them when sharing them.



On 2/24/11 12:05 PM, César García wrote:
> Hi all,  great to see al the feedback from my question, In fact , my
> original question came after reading the HBGary Hack and after reading
> en email from an outsourcing company sending me a "show run" dump from
> a CISCO switch, I wonder if I were unethical ( thing that I'am not )
> could I get the password ?
>
> According to some answers It is possible right ? so, I should ask the
> company to erase those lines next time in order to avoid any problem
> when they send a show run.
>
> Thanks to all !!!
>
> 2011/2/24<krymson () gmail com>:
> > Ok...
> >
> > 1- MD5 is considered insecure and you can create collisions. (This doesn't mean it's suddenly obsolete, but there *is* 
> > weakness.)
> >
> > 2- Cisco utilizes MD5 hashing to store passwords in configs.
> >
> > The problem here is I haven't seen anyone draw the lines between the weakness in MD5 and how it matters to Cisco's 
> > usage of it.
> >
> > Just because you see "MD5" in a statement doesn't mean you can just drop the "don't use, it you're dumb" response. 
> > Proper security needs more thought than that.
> >
> > Props to those responses who are knowledgable about the Cisco usage of MD5 and how that relates to the OP's question on 
> > rainbow tables and how susceptible it may be.
> >
> > ------------------------------------------------------------------------
> > Securing Apache Web Server with thawte Digital Certificate
> > In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
> > it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
> > install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
> > highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
> >
> > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > ------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------