Re: Pre-Shared Key "Type 6" Encryption - Possible to decrypt if

zztopping · ‎01-13-2011

Is it possible to decrypt "type 6" (AES encrypted) keys if the "master password" is kept handy?

wzhang · ‎01-14-2011

Hi,

Type 6 encryption uses AES which is a symmetrical encryption algorithm (as opposed to type 5 which uses a one-way hash), so in theory the passwords protected by type 6 encryption can be recovered if the master key is known.

Thanks,

Wen

zztopping · ‎01-14-2011

thats my understanding, yes. But I do not see any CLI tools to unencrypt for my eyes using the master password...

wzhang · ‎01-14-2011

Hi,

Correct, there is no CLI to decrypt the password from the router itself (other than decryption that happens internally when the key is actually used). That's done intentionally for security reasons. See:

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00801f2336.shtml#conf

Thanks,

Wen

zztopping · ‎01-14-2011

Sounds like I need to work with my SE to request this. There should be a way to decrypt these for administrator use if the master key is known. For instance, if you wanted to replace the device with something that does not support this feature at all and prevent coordinating a change with potentially dozens of customers.

wzhang · ‎01-14-2011

Understood. This is a classic case of trade-off between security and convenience (some may argue these two are mutually exclusive). A security feature should be designed such that, when one secret is comprised, it exposes as little additional secrets as possible. And of course, this goes along with the assumption that, there are no administrators - there are only successful hackers! Just want to give a different perspective on this...

Thanks,

Wen

Pre-Shared Key "Type 6" Encryption - Possible to decrypt if master password is known?