Re: MD5 is insecure

[Jimi Thompson via NANOG <nanog () lists nanog org>]

https://crackstation.net/ - 190GB MD5 password hash rainbow table with 1.5
billion entries.  If that's easily findable by Google, imagine what some of
the APT groups might have....

On Sun, Aug 31, 2025 at 1:16 PM nanog--- via NANOG <nanog () lists nanog org>
wrote:

> There is currently no known way to generate a private key that would match
> your private key hash, faster than brute force, and MD5 still provides
> adequate protection against brute-force attacks.
>
> While nobody should be designing new protocols using MD5 just because
> there is no reason to use a hash algorithm that has *any* known weaknesses,
> its known weaknesses are not relevant to this application.
>
> A method is known to generate two pieces of data with the same MD5 hash.
> This isn't the same thing as saying that a method is known to generate a
> piece of data with any given MD5 hash, or the same MD5 hash as another
> piece of data.
>
>
>
> On 31 August 2025 11:40:12 CEST, Dan Mahoney via NANOG <
> nanog () lists nanog org> wrote:
> > Randy,
> >
> > Something else I recently discovered that relates to this issue:
> >
> > I think there’s a serious flaw in the way ssh key hashes are done on
> IOS.  I’ve been in touch with Cisco CSIRT about it, and they’ve approved
> publication, but in short, if you’re using pubkey auth to a cisco device,
> you might want to rethink it.
> > Short version: Unlike normal pubkeys, IOS only stores an md5 hash of your
> key to auth against, and you can thus use any key that matches that hash.
> Which an attacker now has.
> >
> https://gushi.medium.com/what-i-learned-from-configuring-ssh-pubkey-auth-on-cisco-ios-cbeb1e5b3b77
> > (should not be paywalled, email me privately if it is)
> >
> > > On Aug 30, 2025, at 11:30, Randy Bush via NANOG <nanog () lists nanog org>
> wrote:
> > > a fellow nanogger wrote:
> > >
> > > > I've only *just* gotten to the note from a week or more ago.
> > > >
> > > > >    + tftp-server nvram:startup-config          <<<<<<======
> > > > >      snmp-server community foo 98
> > > > >      snmp-server trap-source Vlan1
> > > > >      snmp-server location Ashburn VA US
> > > >
> > > > I, too, got this from a RANCID setup I built a long time ago.
> > > >
> > > > > and here is the talos report, thanks joe
> > > > >
> > > > >   https://blog.talosintelligence.com/static-tundra/
> > > > >
> > > > > set `no vstack` in config.  no, that is not the default.
> > > >
> > > > I'd told the owner that I didn't think he had control of his gear
> > > > anymore, but this helped me to convince him to put a new switch in.
> > >
> > > moving this to nanog because i did not elaborate on a critical point.
> > >
> > > when you get this, presume the config of this trivial ancient devic has
> > > been snatched.  did the device have any burned in users, a la
> > >
> > >     username foo privilege 15 password 7 bar
> > >
> > > and that uid/pass is used on other, presumably more modern, devices,
> > > you need to change the passwords everywhere.
> > >
> > > same for other credentials, snmp, bgpmd5, ...
> > >
> > > randy
> > > _______________________________________________
> > > NANOG mailing list
> https://lists.nanog.org/archives/list/nanog () lists nanog org/message/HJ64BOPTJ75K3EX5AEHR4E4LW5OZEEQG/
> > _______________________________________________
> > NANOG mailing list
> https://lists.nanog.org/archives/list/nanog () lists nanog org/message/FKCDTX5WO74LJBAE5DDNDBW3V7J76AB7/
> _______________________________________________
> NANOG mailing list
>
> https://lists.nanog.org/archives/list/nanog () lists nanog org/message/FNXYQDBG4MCJOV4Y2GSJFT4HLHFAOA6U/



-- 
Thanks,

Jimi
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/ZHNNPTXEHBKYYJXIEY4SCK7EDGGHKPZI/