Re: MD5 is insecure

[Tom Beecher via NANOG <nanog () lists nanog org>]

Dan-

The main concern I have with your post, and the reason I have been so vocal
in these messages , centers around the following :

Or you might consider just going back to using inline passwords and
> consider Cisco’s ssh implementation a failure at launch — at least the
> “secret” hashing algorithms are salted, but on older kit, it’s also still
> md5.


It's absolutely fair to criticize their implementation in its current form.
I could see it making sense 20 years ago, but they've had time to iterate
and improve on it, and should have.

However, Cisco's implementation is not vulnerable to any currently known
exploits, and no theoretical attack vectors don't seem to apply either.

The fact that you make a recommendation for readers to *stop using public
key SSH auth* because of that is , respectfully, absolutely irresponsible.
Someone, somewhere is going to read this, and follow this advice, making
their device LESS secure, and for no good reason.  We don't tell people
that current cryptography might eventually someday be vulnerable to quantum
computers , so stop using cryptography completely. You are doing that here,
by saying "This might be exploitable some day, so don't use it."
Everything MIGHT be exploitable some day, that's how it goes.



On Thu, Sep 4, 2025 at 6:01 AM Dan Mahoney via NANOG <nanog () lists nanog org>
wrote:

> > On Sep 4, 2025, at 00:51, Saku Ytti via NANOG <nanog () lists nanog org>
> wrote:
> > I'm not educated on the subject matter, so it doesn't matter when I
> > think that this absolutely is non-issue and does not impact SSH
> > security.
> >
> > For people like me, could someone showcase how, given the MD5 hash,
> > they successfully login to the device, not having access to the
> > private key of the client. Don't explain to me why it works, show me
> > how you login to Cisco device using this.
> > Explaining won't work, because from my perspective in this thread it
> > has been very well explained why it doesn't matter, why there is no
> > security issue.
>
> I had composed a long response here, but I think the tone of what I wrote
> in my blog speaks for itself, or I would have used different words, but at
> this point I don’t know if people have read the post, so I’ll rehash a bit.
>
> The tone of my article was not “Holy crap, patch everything now”, it was
> “wow, that’s funny, they’re doing a thing that literally nobody else is
> doing that *theoretically* (regardless of what hash algo is used) increases
> the attack surface quite a lot, but it’s especially bad  if yet another
> flaw is discovered in an algorithm that’s already had many flaws discovered
> (and those flaws were known as of the most recent releases of the OS for
> these devices).  Why is nobody else doing what they’re doing?  I wonder."
>
> Good thing they give me the option of using another algorithm.  Good thing
> that if I actually go to upload my full key, they keep it around, but give
> me the option of a hash for convenience.  Good thing I’m not trusting my
> entire network to these devices.  Good thing they make it easy to get
> patched software for without a service entitlement, and they also make it
> easy to get a service contract for a device I bought on the secondary
> market.  (These are all false statements).
>
> It’s not just about md5, it’s about many other corners that were cut by
> the same vendor, including the one that bit Randy, with their
> p0wn-by-default “smart install” feature.
>
> -Dan
> _______________________________________________
> NANOG mailing list
>
> https://lists.nanog.org/archives/list/nanog () lists nanog org/message/RHX4K7NXRBDIPMU3BSGNYPO26PYCPUCP/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/LS6PJANGHHGQOTJKAGZMI2QCNMS64A3U/