RE: CISCO MD5 encryption

["David Gillett" <gillettdavid () fhda edu>]

> What you - or anyone arguing against MD5 in this thread - have not
explained is why we should be concerned
> about collisions in a hash function used for password hashing?
>
> The short answer is that we shouldn't be in any serious way. Collisions
affect a hash algorithm when you're
> using it for digital signatures, or some other uses. Knowing a whole bunch
of MD5 collisions does not help in
> any way with reversing a captured MD5 hash.

Do we KNOW what Cisco's password-checking code looks like?

Since you can copy the running configuration text file to a virgin device
and it all works, I'd say that there's an excellent chance that any password
entered will be accepted if the hash matches -- that is, an engineered
collision is as good as recovery of the actual password.

David Gillett


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------