cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7422
Views
5
Helpful
3
Replies

ASA5515X: md5 hash for local passwords

holger.weinel1
Level 1
Level 1

Hi,

the CSO of our Company note that the Password localy saved in Firewall configuration are saved with a md5 hash.

Serveral sites at the Internet provide the possibility to decrypt passwords encrypted with those unsecure hashing algorithems.

Firmware: Cisco Adaptive Security Appliance Software Version 9.5(3)6

Hardware: ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC

I did find a hardeníng guide under

This guide contains the following note:
"... ASA uses Message Digest 5 (MD5) for Password hashing."
Is there no possibilty to use secure hash algorithems such as SHA512 for Password hashes locally stored at the startup-config?

Kind regards

Holger Weinel

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

ASA 9.7(1) introduced PBKDF2 hashing for local passwords.

PBKDF2 hashing for all local username and enable passwords

Local username and enable passwords of all lengths are stored in the configuration using a PBKDF2 (Password-Based Key Derivation Function 2) hash. Previously, passwords 32 characters and shorter used the MD5-based hashing method. Already existing passwords continue to use the MD5-based hash unless you enter a new password. See the "Software and Configurations" chapter in the General Operations Configuration Guide for downgrading guidelines.

We modified the following commands: enable password, username

Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa97/release/notes/asarn97.html

You should also be using centralized authentication (which prevents use of local credentials unless there is no access to your AAA server) and restricting management access to the ASA to trusted interfaces (so that any attack would have to come from an insider vs. any random script launched against your public IP).

I am trying to find out what SHA type that the PBDKF2 hashing is using for local password storage on the ASA's. I want to make sure that its a high level of encryption. I don't see this discussed in any documents. Anyone?

Dear Community,

 

Following on in this thread I am encountering an interesting problem:-

 

My newly created usernames have their passwords stored in the config as pbkdf2 passwords.

 

However, when I try to login via SSH using one of these new usernames I get "Access Denied" errors.

 

In troubleshooting this problem I have copied the username config from another device using the "encrypted" flag on the password.

When using this "encrypted" username and it's associated password all works fine.

 

Does anybody else have any experience with this type of behavior?

 

Thanks

Andrew

Review Cisco Networking for a $25 gift card