Security Basics mailing list archives
Re: CISCO MD5 encryption
From: Security Manager <security () virtusec net>
Date: Thu, 24 Feb 2011 11:42:00 -0500
My Two Cents-Security is best achieved using a layered process. So while no one approach is what anyone would call bullet proof, implementing several road blocks will reduce your risk considerably.
MD5 is still useful and provides a degree of protection regarding the confidentiality of your password, however, if anyone can walk up to your switch, router or whatever, plug in a console cable and get enable access then you're pretty much hosed. If someone can get their hands on the hash and has enough time and resources to develop all the rainbow table combos possible then they'll probably break the hash. Now if you follow a process of changing such passwords on a schedule all those efforts could amount to a huge waste of time. As security professionals we advocate lots of best practices, but I think many of us forget why. This is a fair example, change the password frequently enough that if you're hash were taken, by the time it was cracked it would already been changed. Other layers, how about logging and reporting. If I saw TACAS or Radius logs showing hundreds of login attempts that would certainly raise my curiosity about what is going on. Anyway, aside from a few questionable comments, I think the group as a hole has provided some good practical data on MD5 and Cisco's implementation along with some other best practice/security-basics info.
On 2/24/11 9:49 AM, krymson () gmail com wrote:
Ok... 1- MD5 is considered insecure and you can create collisions. (This doesn't mean it's suddenly obsolete, but there *is* weakness.) 2- Cisco utilizes MD5 hashing to store passwords in configs. The problem here is I haven't seen anyone draw the lines between the weakness in MD5 and how it matters to Cisco's usage of it. Just because you see "MD5" in a statement doesn't mean you can just drop the "don't use, it you're dumb" response. Proper security needs more thought than that. Props to those responses who are knowledgable about the Cisco usage of MD5 and how that relates to the OP's question on rainbow tables and how susceptible it may be. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: CISCO MD5 encryption, (continued)
- Re: CISCO MD5 encryption Saif El Sherei (Feb 23)
- Re: CISCO MD5 encryption Jeffrey Walton (Feb 24)
- Re: CISCO MD5 encryption Paul Johnston (Feb 24)
- RE: CISCO MD5 encryption David Gillett (Feb 24)
- Re: CISCO MD5 encryption Paul Johnston (Feb 25)
- RE: CISCO MD5 encryption David Gillett (Feb 28)
- Re: CISCO MD5 encryption Security Manager (Feb 24)
- Re: CISCO MD5 encryption César García (Feb 24)
- Re: CISCO MD5 encryption Security Manager (Feb 24)