At 00:22 28/06/2001 +0200, David Hyams wrote:
...%<....%<.... lot of valid comments deleted ....
>* It's well known that the encryption algorithm for vty passwords is very
>weak. Numerous software tools exist to decrypt the vty password. Isn't it
>time to abandon this algorithm and implement a real encryption algorithm for
>ALL passwords (not just the "enable secret" command)? If an attacker can get
>the device config, then it's far too easy to decrypt the password (assuming
>of course that it is encrypted! See above)
>
David,
As you probably know, for some password (used notably for SNMP, CHAP, PAP,
IKE, ...) there is a protocol need to get those passwords in the clear.
Hence, the obfuscation mechanism will always be reversible. Even using 3DES
will require a hard coded key hidden somewhere in the IOS code (and a
'simple' reverse engineering will expose this key).
Of course, suggestions are welcome
Just my 0.01 BEF (still 6 months to live)
-eric
>regards
>
>David Hyams
>--
>[EMAIL PROTECTED]
>http://www.kmu-security.ch
