Re: CISCO MD5 encryption

[Security Manager <security () virtusec net>]

My Two Cents-
Security is best achieved using a layered process.  So while no one 
approach is what anyone would call bullet proof, implementing several 
road blocks will reduce your risk considerably.

MD5 is still useful and provides a degree of protection regarding the 
confidentiality of your password, however, if anyone can walk up to your 
switch, router or whatever, plug in a console cable and get enable 
access then you're pretty much hosed.  If someone can get their hands on 
the hash and has enough time and resources to develop all the rainbow 
table combos possible then they'll probably break the hash.  Now if you 
follow a process of changing such passwords on a schedule all those 
efforts could amount to a huge waste of time.  As security professionals 
we advocate lots of best practices, but I think many of us forget why.  
This is a fair example, change the password frequently enough that if 
you're hash were taken, by the time it was cracked it would already been 
changed.
Other layers, how about logging and reporting.  If I saw TACAS or Radius 
logs showing hundreds of login attempts that would certainly raise my 
curiosity about what is going on.
Anyway, aside from a few questionable comments, I think the group as a 
hole has provided some good practical data on MD5 and Cisco's 
implementation along with some other best practice/security-basics info.


On 2/24/11 9:49 AM, krymson () gmail com wrote:
> Ok...
>
> 1- MD5 is considered insecure and you can create collisions. (This doesn't mean it's suddenly obsolete, but there *is* 
> weakness.)
>
> 2- Cisco utilizes MD5 hashing to store passwords in configs.
>
> The problem here is I haven't seen anyone draw the lines between the weakness in MD5 and how it matters to Cisco's 
> usage of it.
>
> Just because you see "MD5" in a statement doesn't mean you can just drop the "don't use, it you're dumb" response. 
> Proper security needs more thought than that.
>
> Props to those responses who are knowledgable about the Cisco usage of MD5 and how that relates to the OP's question on 
> rainbow tables and how susceptible it may be.
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
> it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
> install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
> highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------