-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                             
             ESB-97.148 --  Cisco IOS password encryption facts
                              13 November 1997

===========================================================================

Cisco has released the following advisory discussing the strength of some
of the different password encoding schemes used in their router.  Some of
these encryption schemes may allow the decryption of passwords in Cisco
configuration files under certain circumstances.

The following security bulletin is provided as a service to AUSCERT's
members.  As AUSCERT did not write this document, AUSCERT has had no
control over its content.  As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.

Cisco may be contacted via the Internet's Worldwide Web at:

	http://www.cisco.com

If you have any questions or need further information, please contact them
directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/information/advisories.html

If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 4477
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
	AUSCERT personnel answer during Queensland business hours
	which are GMT+10:00 (AEST).
	On call after hours for emergencies.


- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

A non-Cisco source has recently released a new program to decrypt user
passwords (and other passwords) in Cisco configuration files. The program
will not decrypt passwords set with the "enable secret" command.

The unexpected concern that this program has caused among Cisco customers
has led us to suspect that many customers are relying on Cisco password
encryption for more security than it was designed to provide. This document
explains the security model behind Cisco password encryption, and the
security limitations of that encryption.

User Passwords
- - --------------
User passwords and most other passwords (*not* enable secrets) in Cisco IOS
configuration files are encrypted using a scheme that's very weak by modern
cryptographic standards.

Although Cisco does not distribute a decryption program, at least two
different decryption programs for Cisco IOS passwords are available to the
public on the Internet; the first public release of such a program of which
Cisco is aware was in early 1995. We would expect any amateur cryptographer
to be able to create a new program with no more than a few hours' work.

The scheme used by IOS for user passwords was never intended to resist a
determined, intelligent attack; it was designed to avoid casual
"over-the-shoulder" password theft. The threat model was someone reading a
password from an administrator's screen. The scheme was never supposed to
protect against someone conducting a determined analysis of the
configuration file.

Because of the weak encryption algorithm, it has always been Cisco's
position that customers should treat any configuration file containing
passwords as sensitive information, the same way they would treat a
cleartext list of passwords.

Enable Secret Passwords
- - -----------------------
Enable secrets are hashed using the MD5 algorithm. As far as anyone at
Cisco knows, it is impossible to recover an enable secret based on the
contents of a configuration file (other than by obvious dictionary
attacks).

Note that this applies only to passwords set with "enable secret", *not*
to passwords set with "enable password". Indeed, the strength of the
encryption used is the only significant difference between the two
commands.

Other Passwords
- - ---------------
Almost all passwords and other authentication strings in Cisco IOS
configuration files are encrypted using the weak, reversible scheme used
for user passwords. To determine which scheme has been used to encrypt a
specific password, check the digit preceding the encrypted string in the
configuration file. If that digit is a 7, the password has been encrypted
using the weak algorithm. If the digit is a 5, the password has been hashed
using the stronger MD5 algorithm.

For example, in the configuration command

    enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP.

The enable secret has been hashed with MD5, whereas in the command

    username jbash password 7 07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D

The password has been encrypted using the weak reversible algorithm.

Can the algorithm be changed?
- - -----------------------------
Cisco has no immediate plans to support a stronger encryption algorithm for
IOS user passwords. Should Cisco decide to introduce such a feature in the
future, that feature will definitely impose an additional ongoing
administrative burden on users who choose to take advantage of it.

It is not, in the general case, possible to switch user passwords over to
the MD5-based algorithm used for enable secrets, because MD5 is a one-way
hash, and the password can't be recovered from the encrypted data at all.
In order to support certain authentication protocols (notably CHAP), the
system needs access to the clear text of user passwords, and therefore must
store them using a reversible algorithm.

Key management issues would make it a nontrivial task to switch over to a
stronger reversible algorithm, such as DES. Although it would be easy to
modify IOS to use DES to encrypt passwords, there would be no security
advantage in doing so if all IOS systems used the same DES key. If
different keys were used by different systems, an administrative burden
would be introduced for all IOS network administrators, and portability of
configuration files between systems would be damaged. Customer demand
for stronger reversible password encryption has been small.

November 10, 1997

- -----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBNGen1wyPsuGbHvEpAQFYHwgAtIs5PykwbZ11H3kzKxpl67I4OX4Kngli
wKL7PHxbKMvB12l/oiFoTcrOqWXVWN6AQ3ObbkJ+GD02zHbW+5rU/2/dys86GQAi
MGBLS/7pKrb9oPjeI5P+ZZIGfaM/Cs6y6nRN2jeC2ZSglGmlsaWua0Sm+9ytvz1b
x730JE1yGybxnBHYGsonSpRNQ8xx8RKjG+HZ5gFROWkY/gsBeqiEcz/y+XJq0qwO
6ULpwAKVV9jld4m93ZJe3LzyjrOUM7+pk3UzNAZu1IfUoy1L3J/VfehbBc7BmMy7
0AylJwuhNd3mlCe3Vl0VgCG/qC/hjX+860QY9CWb411Nstc+pyjcqw==
=JdSr
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBNGssXyh9+71yA2DNAQG1wAP+I319LIHkci5XougWKYq34NqJsrStyVjp
M0NRWPpOMwNZ581fIQ/mF6+FiLBrdfbDTTGICSjWb/THoZhX1/OU8KNz2+IKha8l
aRaEs+z2p9JAhNPnqvma6lO5L88fM6N69Jx/vaqfJ0YWlbO4H5B1nm3gAwUvJWV/
hcf6LjqarpU=
=UQrK
-----END PGP SIGNATURE-----