Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

When to use type-6 encrypted or type-7 encrypted?

Somebody knows what is the difference between type-6 encrypted (6) and type-7 encrypted (7), in the following command?

tacacs-server key [0 | 6 | 7] key-value

Description:

Specifies a TACACS+ key for all TACACS+ server. You can specify that the key-value is in clear text format (0), is type-6 encrypted (6), or is type-7 encrypted (7). The Cisco NX-OS software encrypts a clear text key before saving it to the running configuration. The default format is clear text. The maximum length is 63 characters.

Any ideas?

Thanks,

guruiz

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

When to use type-6 encrypted or type-7 encrypted?

Hello guruiz,

Type-7 passwords are encrypted using a weak cipher and an encryption key that is hardwired into IOS. Type-7 passwords configured on one device can be decrypted on any other device because the encryption/decryption key is contained within the IOS. While this can be advantageous when, for example, migrating configuration between devices, this can also be considered a security drawback if the passwords should be specific to the device. It should also be noted that both the cipher mechanism and the key are already publicly known and there are many decryptors for Type-7 passwords freely available.

Type-6 passwords are encrypted using AES cipher and user-defined master key. These passwords are much better protected and the additional difficulty in their decryption is given by the fact that also the master key is defined by the user and is never displayed in the configuration. Without knowledge of this master key, Type-6 keys are unusable. The disadvantage is that when backing up a configuration or migrating it to another device, the master key is not dumped and has to be configured again manually.

While the following document is related to IOS and not to NX-OS, it provides the additional info you may find interesting:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801f2336.shtml

Type-6 passwords are significantly more secure than Type-7 passwords.

Please note that the number in the tacacs-server key [0 | 6 | 7] key-value command tells the device in what format the key-value already is, i.e. whether it is already Type-6 or Type-7 encrypted. You do not select the resulting encryption type using this number. There is a different command that will cause existing passwords in the configuration to be Type-6 encrypted. I am not familiar with the NX-OS but in the IOS, the document mentioned above describes how the Type-6 passwords can be activated.

Best regards,

Peter

2 REPLIES
Cisco Employee

When to use type-6 encrypted or type-7 encrypted?

Hello guruiz,

Type-7 passwords are encrypted using a weak cipher and an encryption key that is hardwired into IOS. Type-7 passwords configured on one device can be decrypted on any other device because the encryption/decryption key is contained within the IOS. While this can be advantageous when, for example, migrating configuration between devices, this can also be considered a security drawback if the passwords should be specific to the device. It should also be noted that both the cipher mechanism and the key are already publicly known and there are many decryptors for Type-7 passwords freely available.

Type-6 passwords are encrypted using AES cipher and user-defined master key. These passwords are much better protected and the additional difficulty in their decryption is given by the fact that also the master key is defined by the user and is never displayed in the configuration. Without knowledge of this master key, Type-6 keys are unusable. The disadvantage is that when backing up a configuration or migrating it to another device, the master key is not dumped and has to be configured again manually.

While the following document is related to IOS and not to NX-OS, it provides the additional info you may find interesting:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801f2336.shtml

Type-6 passwords are significantly more secure than Type-7 passwords.

Please note that the number in the tacacs-server key [0 | 6 | 7] key-value command tells the device in what format the key-value already is, i.e. whether it is already Type-6 or Type-7 encrypted. You do not select the resulting encryption type using this number. There is a different command that will cause existing passwords in the configuration to be Type-6 encrypted. I am not familiar with the NX-OS but in the IOS, the document mentioned above describes how the Type-6 passwords can be activated.

Best regards,

Peter

New Member

When to use type-6 encrypted or type-7 encrypted?

Thanks Peter,

This is a fantastic and clear answer !!

I have read the document and it has more sense now.

Thank you so much !

Regards

guruiz

2636
Views
0
Helpful
2
Replies