cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
24870
Views
25
Helpful
2
Replies

When to use type-6 encrypted or type-7 encrypted?

guillermo.ruiz
Level 1
Level 1

Somebody knows what is the difference between type-6 encrypted (6) and type-7 encrypted (7), in the following command?

tacacs-server key [0 | 6 | 7] key-value

Description:

Specifies a TACACS+ key for all TACACS+ server. You can specify that the key-value is in clear text format (0), is type-6 encrypted (6), or is type-7 encrypted (7). The Cisco NX-OS software encrypts a clear text key before saving it to the running configuration. The default format is clear text. The maximum length is 63 characters.

Any ideas?

Thanks,

guruiz

1 Accepted Solution

Accepted Solutions

Peter Paluch
Cisco Employee
Cisco Employee

Hello guruiz,

Type-7 passwords are encrypted using a weak cipher and an encryption key that is hardwired into IOS. Type-7 passwords configured on one device can be decrypted on any other device because the encryption/decryption key is contained within the IOS. While this can be advantageous when, for example, migrating configuration between devices, this can also be considered a security drawback if the passwords should be specific to the device. It should also be noted that both the cipher mechanism and the key are already publicly known and there are many decryptors for Type-7 passwords freely available.

Type-6 passwords are encrypted using AES cipher and user-defined master key. These passwords are much better protected and the additional difficulty in their decryption is given by the fact that also the master key is defined by the user and is never displayed in the configuration. Without knowledge of this master key, Type-6 keys are unusable. The disadvantage is that when backing up a configuration or migrating it to another device, the master key is not dumped and has to be configured again manually.

While the following document is related to IOS and not to NX-OS, it provides the additional info you may find interesting:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801f2336.shtml

Type-6 passwords are significantly more secure than Type-7 passwords.

Please note that the number in the tacacs-server key [0 | 6 | 7] key-value command tells the device in what format the key-value already is, i.e. whether it is already Type-6 or Type-7 encrypted. You do not select the resulting encryption type using this number. There is a different command that will cause existing passwords in the configuration to be Type-6 encrypted. I am not familiar with the NX-OS but in the IOS, the document mentioned above describes how the Type-6 passwords can be activated.

Best regards,

Peter

View solution in original post

2 Replies 2

Peter Paluch
Cisco Employee
Cisco Employee

Hello guruiz,

Type-7 passwords are encrypted using a weak cipher and an encryption key that is hardwired into IOS. Type-7 passwords configured on one device can be decrypted on any other device because the encryption/decryption key is contained within the IOS. While this can be advantageous when, for example, migrating configuration between devices, this can also be considered a security drawback if the passwords should be specific to the device. It should also be noted that both the cipher mechanism and the key are already publicly known and there are many decryptors for Type-7 passwords freely available.

Type-6 passwords are encrypted using AES cipher and user-defined master key. These passwords are much better protected and the additional difficulty in their decryption is given by the fact that also the master key is defined by the user and is never displayed in the configuration. Without knowledge of this master key, Type-6 keys are unusable. The disadvantage is that when backing up a configuration or migrating it to another device, the master key is not dumped and has to be configured again manually.

While the following document is related to IOS and not to NX-OS, it provides the additional info you may find interesting:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801f2336.shtml

Type-6 passwords are significantly more secure than Type-7 passwords.

Please note that the number in the tacacs-server key [0 | 6 | 7] key-value command tells the device in what format the key-value already is, i.e. whether it is already Type-6 or Type-7 encrypted. You do not select the resulting encryption type using this number. There is a different command that will cause existing passwords in the configuration to be Type-6 encrypted. I am not familiar with the NX-OS but in the IOS, the document mentioned above describes how the Type-6 passwords can be activated.

Best regards,

Peter

Thanks Peter,

This is a fantastic and clear answer !!

I have read the document and it has more sense now.

Thank you so much !

Regards

guruiz

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco