Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15158
Views
3
Helpful
5
Replies

Pre-Shared Key "Type 6" Encryption - Possible to decrypt if master password is known?

zztopping
Level 4
Level 4

‎01-13-2011 11:12 PM - edited ‎03-09-2019 11:21 PM

Is it possible to decrypt "type 6" (AES encrypted) keys if the "master password" is kept handy?

Labels:
0 Helpful
5 Replies 5

wzhang
Cisco Employee
Cisco Employee

‎01-14-2011 06:12 AM

Hi,

Type 6 encryption uses AES which is a symmetrical encryption algorithm (as opposed to type 5 which uses a one-way hash), so in theory the passwords protected by type 6 encryption can be recovered if the master key is known.

Thanks,

Wen

zztopping
Level 4
Level 4
In response to wzhang

‎01-14-2011 06:36 AM

thats my understanding, yes. But I do not see any CLI tools to unencrypt for my eyes using the master password...

0 Helpful

wzhang
Cisco Employee
Cisco Employee
In response to zztopping

‎01-14-2011 07:01 AM

Hi,

Correct, there is no CLI to decrypt the password from the router itself (other than decryption that happens internally when the key is actually used). That's done intentionally for security reasons. See:

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00801f2336.shtml#conf

Thanks,

Wen

0 Helpful

zztopping
Level 4
Level 4
In response to wzhang

‎01-14-2011 07:54 AM

Sounds like I need to work with my SE to request this. There should be a way to decrypt these for administrator use if the master key is known. For instance, if you wanted to replace the device with something that does not support this feature at all and prevent coordinating a change with potentially dozens of customers.

0 Helpful

wzhang
Cisco Employee
Cisco Employee
In response to zztopping

‎01-14-2011 12:08 PM

Understood. This is a classic case of trade-off between security and convenience (some may argue these two are mutually exclusive). A security feature should be designed such that, when one secret is comprised, it exposes as little additional secrets as possible. And of course, this goes along with the assumption that, there are no administrators - there are only successful hackers! Just want to give a different perspective on this...

Thanks,

Wen

0 Helpful
Customers Also Viewed These Support Documents