https://community.cisco.com/t5/network-access-control/tacacs-server-key/m-p/1394436#M313595 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply.</P><P></P><P>After reading through the RFC I guess since the key is also used for a pad function on the communication, knowing what it is could simplify cryptanalysis of the packet to allow someone to determine usernames and passwords as it crosses the wire.</P><P></P><P>B</P></BODY></HTML> Thu, 08 Apr 2010 23:22:40 GMT brandon5150 2010-04-08T23:22:40Z https://community.cisco.com/t5/network-access-control/tacacs-server-key/m-p/1394434#M313588 <P>Ok. I'll go out on a limb here, what is the risk of a compromised tacacs server key? It doesn't seem like all that much. You can use it to try and authenticate a user against the server directly?</P><P></P><P>Is there a reason that the key is encrypted using Cisco's Type 7 encryption which is easily reversed versus something like MD5 or SHA1 when stored in the router configuration?</P> Mon, 11 Mar 2019 00:03:14 GMT https://community.cisco.com/t5/network-access-control/tacacs-server-key/m-p/1394434#M313588 brandon5150 2019-03-11T00:03:14Z https://community.cisco.com/t5/network-access-control/tacacs-server-key/m-p/1394435#M313593 <HTML><HEAD></HEAD><BODY><P>As you said, someone having the key could authenticate users against the server, but he could not steal usernames and passwords. It is more of a shared secret between the router and TACACS. Not that it is a pleasant situation for someone to steal it.</P><P></P><P>Even if it was MD5 it is still susceptible to attacks. Those would be harder that the type 7 encryption.</P><P>Not all key features were designed to be obfuscated the same way.</P><P>For example for IKE keys you can even encrypt them for AES, but you cannot do it for ospf keys.</P><P></P><P>I hope it clarifies it a little.</P><P></P><P>PK</P></BODY></HTML> Thu, 08 Apr 2010 17:27:34 GMT https://community.cisco.com/t5/network-access-control/tacacs-server-key/m-p/1394435#M313593 Panos Kampanakis 2010-04-08T17:27:34Z https://community.cisco.com/t5/network-access-control/tacacs-server-key/m-p/1394436#M313595 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply.</P><P></P><P>After reading through the RFC I guess since the key is also used for a pad function on the communication, knowing what it is could simplify cryptanalysis of the packet to allow someone to determine usernames and passwords as it crosses the wire.</P><P></P><P>B</P></BODY></HTML> Thu, 08 Apr 2010 23:22:40 GMT https://community.cisco.com/t5/network-access-control/tacacs-server-key/m-p/1394436#M313595 brandon5150 2010-04-08T23:22:40Z