At 00:22 28/06/2001 +0200, David Hyams wrote: ...%<....%<.... lot of valid comments deleted .... >* It's well known that the encryption algorithm for vty passwords is very >weak. Numerous software tools exist to decrypt the vty password. Isn't it >time to abandon this algorithm and implement a real encryption algorithm for >ALL passwords (not just the "enable secret" command)? If an attacker can get >the device config, then it's far too easy to decrypt the password (assuming >of course that it is encrypted! See above) > David, As you probably know, for some password (used notably for SNMP, CHAP, PAP, IKE, ...) there is a protocol need to get those passwords in the clear. Hence, the obfuscation mechanism will always be reversible. Even using 3DES will require a hard coded key hidden somewhere in the IOS code (and a 'simple' reverse engineering will expose this key). Of course, suggestions are welcome Just my 0.01 BEF (still 6 months to live) -eric >regards > >David Hyams >-- >david.hyams@kmu-security.ch >http://www.kmu-security.ch
This archive was generated by hypermail 2b30 : Fri Jun 29 2001 - 13:29:23 PDT