When to use type-6 encrypted or type-7 encrypted?

Answered Question
Feb 11th, 2013

Somebody knows what is the difference between type-6 encrypted (6) and type-7 encrypted (7), in the following command?

tacacs-server key [0 | 6 | 7] key-value

Description:

Specifies a TACACS+ key for all TACACS+ server. You can specify that the key-value is in clear text format (0), is type-6 encrypted (6), or is type-7 encrypted (7). The Cisco NX-OS software encrypts a clear text key before saving it to the running configuration. The default format is clear text. The maximum length is 63 characters.

Any ideas?

Thanks,

guruiz

I have this problem too.
0 votes
Correct Answer by Peter Paluch about 1 year 2 months ago

Hello guruiz,

Type-7 passwords are encrypted using a weak cipher and an encryption key that is hardwired into IOS. Type-7 passwords configured on one device can be decrypted on any other device because the encryption/decryption key is contained within the IOS. While this can be advantageous when, for example, migrating configuration between devices, this can also be considered a security drawback if the passwords should be specific to the device. It should also be noted that both the cipher mechanism and the key are already publicly known and there are many decryptors for Type-7 passwords freely available.

Type-6 passwords are encrypted using AES cipher and user-defined master key. These passwords are much better protected and the additional difficulty in their decryption is given by the fact that also the master key is defined by the user and is never displayed in the configuration. Without knowledge of this master key, Type-6 keys are unusable. The disadvantage is that when backing up a configuration or migrating it to another device, the master key is not dumped and has to be configured again manually.

While the following document is related to IOS and not to NX-OS, it provides the additional info you may find interesting:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801f2336.shtml

Type-6 passwords are significantly more secure than Type-7 passwords.

Please note that the number in the tacacs-server key [0 | 6 | 7] key-value command tells the device in what format the key-value already is, i.e. whether it is already Type-6 or Type-7 encrypted. You do not select the resulting encryption type using this number. There is a different command that will cause existing passwords in the configuration to be Type-6 encrypted. I am not familiar with the NX-OS but in the IOS, the document mentioned above describes how the Type-6 passwords can be activated.

Best regards,

Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (1 ratings)
Correct Answer
Peter Paluch Thu, 02/14/2013 - 15:59

Hello guruiz,

Type-7 passwords are encrypted using a weak cipher and an encryption key that is hardwired into IOS. Type-7 passwords configured on one device can be decrypted on any other device because the encryption/decryption key is contained within the IOS. While this can be advantageous when, for example, migrating configuration between devices, this can also be considered a security drawback if the passwords should be specific to the device. It should also be noted that both the cipher mechanism and the key are already publicly known and there are many decryptors for Type-7 passwords freely available.

Type-6 passwords are encrypted using AES cipher and user-defined master key. These passwords are much better protected and the additional difficulty in their decryption is given by the fact that also the master key is defined by the user and is never displayed in the configuration. Without knowledge of this master key, Type-6 keys are unusable. The disadvantage is that when backing up a configuration or migrating it to another device, the master key is not dumped and has to be configured again manually.

While the following document is related to IOS and not to NX-OS, it provides the additional info you may find interesting:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801f2336.shtml

Type-6 passwords are significantly more secure than Type-7 passwords.

Please note that the number in the tacacs-server key [0 | 6 | 7] key-value command tells the device in what format the key-value already is, i.e. whether it is already Type-6 or Type-7 encrypted. You do not select the resulting encryption type using this number. There is a different command that will cause existing passwords in the configuration to be Type-6 encrypted. I am not familiar with the NX-OS but in the IOS, the document mentioned above describes how the Type-6 passwords can be activated.

Best regards,

Peter

guruiz Fri, 02/15/2013 - 10:15

Thanks Peter,

This is a fantastic and clear answer !!

I have read the document and it has more sense now.

Thank you so much !

Regards

guruiz

Actions

Login or Register to take actions

This Discussion

Posted February 11, 2013 at 8:42 AM
Stats:
Replies:2 Avg. Rating:
Views:756 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,150
3 7,730
4 7,083
5 6,742
Rank Username Points
160
77
70
69
50