02-11-2013 08:42 AM - edited 03-07-2019 11:38 AM
Somebody knows what is the difference between type-6 encrypted (6) and type-7 encrypted (7), in the following command?
tacacs-server key [0 | 6 | 7] key-value
Description:
Specifies a TACACS+ key for all TACACS+ server. You can specify that the key-value is in clear text format (0), is type-6 encrypted (6), or is type-7 encrypted (7). The Cisco NX-OS software encrypts a clear text key before saving it to the running configuration. The default format is clear text. The maximum length is 63 characters.
Any ideas?
Thanks,
guruiz
Solved! Go to Solution.
02-14-2013 03:59 PM
Hello guruiz,
Type-7 passwords are encrypted using a weak cipher and an encryption key that is hardwired into IOS. Type-7 passwords configured on one device can be decrypted on any other device because the encryption/decryption key is contained within the IOS. While this can be advantageous when, for example, migrating configuration between devices, this can also be considered a security drawback if the passwords should be specific to the device. It should also be noted that both the cipher mechanism and the key are already publicly known and there are many decryptors for Type-7 passwords freely available.
Type-6 passwords are encrypted using AES cipher and user-defined master key. These passwords are much better protected and the additional difficulty in their decryption is given by the fact that also the master key is defined by the user and is never displayed in the configuration. Without knowledge of this master key, Type-6 keys are unusable. The disadvantage is that when backing up a configuration or migrating it to another device, the master key is not dumped and has to be configured again manually.
While the following document is related to IOS and not to NX-OS, it provides the additional info you may find interesting:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801f2336.shtml
Type-6 passwords are significantly more secure than Type-7 passwords.
Please note that the number in the tacacs-server key [0 | 6 | 7] key-value command tells the device in what format the key-value already is, i.e. whether it is already Type-6 or Type-7 encrypted. You do not select the resulting encryption type using this number. There is a different command that will cause existing passwords in the configuration to be Type-6 encrypted. I am not familiar with the NX-OS but in the IOS, the document mentioned above describes how the Type-6 passwords can be activated.
Best regards,
Peter
02-14-2013 03:59 PM
Hello guruiz,
Type-7 passwords are encrypted using a weak cipher and an encryption key that is hardwired into IOS. Type-7 passwords configured on one device can be decrypted on any other device because the encryption/decryption key is contained within the IOS. While this can be advantageous when, for example, migrating configuration between devices, this can also be considered a security drawback if the passwords should be specific to the device. It should also be noted that both the cipher mechanism and the key are already publicly known and there are many decryptors for Type-7 passwords freely available.
Type-6 passwords are encrypted using AES cipher and user-defined master key. These passwords are much better protected and the additional difficulty in their decryption is given by the fact that also the master key is defined by the user and is never displayed in the configuration. Without knowledge of this master key, Type-6 keys are unusable. The disadvantage is that when backing up a configuration or migrating it to another device, the master key is not dumped and has to be configured again manually.
While the following document is related to IOS and not to NX-OS, it provides the additional info you may find interesting:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801f2336.shtml
Type-6 passwords are significantly more secure than Type-7 passwords.
Please note that the number in the tacacs-server key [0 | 6 | 7] key-value command tells the device in what format the key-value already is, i.e. whether it is already Type-6 or Type-7 encrypted. You do not select the resulting encryption type using this number. There is a different command that will cause existing passwords in the configuration to be Type-6 encrypted. I am not familiar with the NX-OS but in the IOS, the document mentioned above describes how the Type-6 passwords can be activated.
Best regards,
Peter
02-15-2013 10:15 AM
Thanks Peter,
This is a fantastic and clear answer !!
I have read the document and it has more sense now.
Thank you so much !
Regards
guruiz
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: