cisco's encryption algorithm can be easily broken
Subject: Security Notice: cisco Systems password encryption update
Date: Fri, 17 Mar 1995 12:21:27 -0800
From: David Carrel
In recent postings, member(s) of this audience noted details of the
password "encryption" scheme utilized on cisco products. These postings
note cisco's encryption algorithm can be easily broken. This posting will
also explain the risks involved, what actions we're taking and what you can
do. If you have any further questions after reading this posting, please
contact us through your normal support channel.
1) What is cisco's password protection/encryption legacy?
cisco routers and access servers utilize passwords for
authentication. Our products can perform authentication in several ways,
some of which require cleartext passwords. For example, PPP-CHAP and ARAP
both require the cisco router to have access to a cleartext password. A
strong one-way encryption algorithm is not an option for storing these
passwords. Originally, all passwords were stored in cleartext. Later, we
implemented a reversible algorithm with the intent of hiding passwords from
the casual observer. Nothing more complex was ever intended, and we have
made this clear on this and other lists from time to time.
2) What are the risks with cisco's password protection/encryption scheme?
Risks exist if an attacker can gain access to your configuration
with the encrypted strings. Since our encryption can be reversed, access
to the encrypted strings can provide access to cleartext passwords. If you
store configurations on a network server (either using tftp or rcp from the
router) there is some risk if an attacker has access to the networks
between the cisco router and the server, or if the attacker has access to
the server. You may also be at risk if you view the configuration over a
networks session (such as telnet) and an intruder can gain access to those
network segments.
3) How can you protect your router passwords from unauthorized access?
- First, consider upgrading your cisco software to get the latest
security enhancements. These are described in the next section.
- Next, protect your configurations. Use Access lists and
Firewalls to help provide protection. cisco can help you in both
of these areas. If you must write configurations to a network
server, do your best to protect the network and the server.
- Use rcp instead of tftp if possible. Rcp is far from perfect,
but it is more secure that Tftp. Tftp is completely
unauthenticated.
- Use a console whenever possible for configuring a router.
Hardwiring a console means configuration data doesn't cross the
network.
- Use TACACS to help keep a minimum number of passwords stored on
the router. TACACS provides far superior authentication
mechanisms including one-time password systems.
4) Encryption enhancements are now available from cisco
To address this encryption problem, we have implemented a stronger
one-way encryption algorithm. The algorithm is based on the MD5 hashing
function. Remember, many passwords on the router must be reversible, so this
new algorithm is only used for the enable passwords. Using the new algorithm
and TACACS, users will be able to remove all weakly encrypted passwords from
the router.
cisco has made new software images available on CIO (for registered
users: http://www.cisco.com or telnet/terminal access cio.cisco.com
408-526-8070 N81) or customers with Software Maintenance contracts may call
the Cisco Technical Assistance Center [800-553-2447, tac@cisco.com] to
request the software.
This code is available to customers in the following releases::
Interim Date Maintenance Date
Release Available Release Available
--------------------------------------------------------------------------
10.0(8.1)* NOW 10.0(9) scheduled FCS 4/10
10.2(4.4)* NOW 10.2(5) scheduled FCS 3/27
10.3(1.2)* NOW 10.3(2) scheduled FCS 4/3
*the interim releases are only available via TAC.
In addition, cisco is developing several additional security
enhancement projects. Please continue to monitor our WWW homepage as some
of these will be available in the very near future.
----------------------------------------------------------------------------
David Carrel | E-mail: carrel@cisco.com
Security Development, cisco Systems | phone: (408) 526-5207
170 W. Tasman Drive | fax: (408) 526-4952
San Jose, CA 95134-1706 |
----------------------------------------------------------------------------
--
Paul Ferguson || ||
cisco Systems || ||
Consulting Engineering |||| ||||
Reston, Virginia USA ..:||||||:..:||||||:..
e-mail: pferguso@cisco.com c i s c o S y s t e m s