Re: MD5 is insecure

[nanog--- via NANOG <nanog () lists nanog org>]

There is currently no known way to generate a private key that would match your private key hash, faster than brute 
force, and MD5 still provides adequate protection against brute-force attacks.

While nobody should be designing new protocols using MD5 just because there is no reason to use a hash algorithm that 
has *any* known weaknesses, its known weaknesses are not relevant to this application.

A method is known to generate two pieces of data with the same MD5 hash. This isn't the same thing as saying that a 
method is known to generate a piece of data with any given MD5 hash, or the same MD5 hash as another piece of data.



On 31 August 2025 11:40:12 CEST, Dan Mahoney via NANOG <nanog () lists nanog org> wrote:
> Randy,
>
> Something else I recently discovered that relates to this issue: 
>
> I think there’s a serious flaw in the way ssh key hashes are done on IOS.  I’ve been in touch with Cisco CSIRT about 
> it, and they’ve approved publication, but in short, if you’re using pubkey auth to a cisco device, you might want to 
> rethink it.  
>
> Short version: Unlike normal pubkeys, IOS only stores an md5 hash of your key to auth against, and you can thus use 
> any key that matches that hash.  Which an attacker now has.
>
> https://gushi.medium.com/what-i-learned-from-configuring-ssh-pubkey-auth-on-cisco-ios-cbeb1e5b3b77
>
> (should not be paywalled, email me privately if it is)
>
> > On Aug 30, 2025, at 11:30, Randy Bush via NANOG <nanog () lists nanog org> wrote:
> >
> > a fellow nanogger wrote:
> >
> > > I've only *just* gotten to the note from a week or more ago.
> > >
> > > >    + tftp-server nvram:startup-config          <<<<<<======
> > > >      snmp-server community foo 98
> > > >      snmp-server trap-source Vlan1
> > > >      snmp-server location Ashburn VA US
> > >
> > > I, too, got this from a RANCID setup I built a long time ago.
> > >
> > > > and here is the talos report, thanks joe
> > > >
> > > >   https://blog.talosintelligence.com/static-tundra/
> > > >
> > > > set `no vstack` in config.  no, that is not the default.
> > >
> > > I'd told the owner that I didn't think he had control of his gear
> > > anymore, but this helped me to convince him to put a new switch in.
> >
> > moving this to nanog because i did not elaborate on a critical point.
> >
> > when you get this, presume the config of this trivial ancient devic has
> > been snatched.  did the device have any burned in users, a la
> >
> >     username foo privilege 15 password 7 bar
> >
> > and that uid/pass is used on other, presumably more modern, devices,
> > you need to change the passwords everywhere.
> >
> > same for other credentials, snmp, bgpmd5, ...
> >
> > randy
> > _______________________________________________
> > NANOG mailing list 
> > https://lists.nanog.org/archives/list/nanog () lists nanog org/message/HJ64BOPTJ75K3EX5AEHR4E4LW5OZEEQG/
>
> _______________________________________________
> NANOG mailing list 
> https://lists.nanog.org/archives/list/nanog () lists nanog org/message/FKCDTX5WO74LJBAE5DDNDBW3V7J76AB7/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/FNXYQDBG4MCJOV4Y2GSJFT4HLHFAOA6U/