01-13-2011 11:12 PM - edited 03-09-2019 11:21 PM
Is it possible to decrypt "type 6" (AES encrypted) keys if the "master password" is kept handy?
01-14-2011 06:12 AM
Hi,
Type 6 encryption uses AES which is a symmetrical encryption algorithm (as opposed to type 5 which uses a one-way hash), so in theory the passwords protected by type 6 encryption can be recovered if the master key is known.
Thanks,
Wen
01-14-2011 06:36 AM
thats my understanding, yes. But I do not see any CLI tools to unencrypt for my eyes using the master password...
01-14-2011 07:01 AM
Hi,
Correct, there is no CLI to decrypt the password from the router itself (other than decryption that happens internally when the key is actually used). That's done intentionally for security reasons. See:
Thanks,
Wen
01-14-2011 07:54 AM
Sounds like I need to work with my SE to request this. There should be a way to decrypt these for administrator use if the master key is known. For instance, if you wanted to replace the device with something that does not support this feature at all and prevent coordinating a change with potentially dozens of customers.
01-14-2011 12:08 PM
Understood. This is a classic case of trade-off between security and convenience (some may argue these two are mutually exclusive). A security feature should be designed such that, when one secret is comprised, it exposes as little additional secrets as possible. And of course, this goes along with the assumption that, there are no administrators - there are only successful hackers! Just want to give a different perspective on this...
Thanks,
Wen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide