AsyncOS password encryption mechanism

Linz · ‎10-26-2018

I've seen the option

encrypt passpharses in the configuration file

within AsyncOS's system-administration.

There is no documentation about how passwords are stored, and how they are encrypted (which password, cert, what ever).

Any informations?

dmccabej · ‎10-26-2018

Hello,

That option refers to the user passwords along with any certificate private/public keys. Locally, the passwords are stored as MD5 hashes; however, I am not aware of offhand what type of encryption is performed during export.

Thanks!

-Dennis M.

Linz · ‎10-26-2018

Awesome! Might I introduce Cisco the Kerckhoffs's principle? Maybe it has not yes reached Cisco, cause it is only ~150 years old and modern Security Experts only talking about this since the last 20 years, but hey!

When I remember (first class of university) correctly this "thing" Cisco's doing here they always named "security by obscurity", and as far as I remember it was not mentioned in a positive manner.

Or could they even have named it "error by design"?! I am not sure of this, but what I know is that this a post for the slide "fail of the year" in my old Profs. script!
I am afraid of using Cisco Ironport Esa now, what else design errors did you build in?

Can you pls forward this to your software-designer and ask them to use a recognized cipher, a user-defined config_password and, in case of used auto-update just store this config_password next to the passwords, certs and stuff you want to protect in case of exporting the config (if somebody is able to gain access to the passwords or certs, he's obviously not interested in the config_password anymore, because he has already what he wants) ?