04-08-2010 04:48 AM - edited 03-10-2019 05:03 PM
Ok. I'll go out on a limb here, what is the risk of a compromised tacacs server key? It doesn't seem like all that much. You can use it to try and authenticate a user against the server directly?
Is there a reason that the key is encrypted using Cisco's Type 7 encryption which is easily reversed versus something like MD5 or SHA1 when stored in the router configuration?
04-08-2010 10:27 AM
As you said, someone having the key could authenticate users against the server, but he could not steal usernames and passwords. It is more of a shared secret between the router and TACACS. Not that it is a pleasant situation for someone to steal it.
Even if it was MD5 it is still susceptible to attacks. Those would be harder that the type 7 encryption.
Not all key features were designed to be obfuscated the same way.
For example for IKE keys you can even encrypt them for AES, but you cannot do it for ospf keys.
I hope it clarifies it a little.
PK
04-08-2010 04:22 PM
Thanks for the reply.
After reading through the RFC I guess since the key is also used for a pad function on the communication, knowing what it is could simplify cryptanalysis of the packet to allow someone to determine usernames and passwords as it crosses the wire.
B
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: