Solved: enable secret password - different hash each time for same password ?

SJ K · ‎07-16-2015

Hi all,

Everytime i do a

enable secret <samepassword>;

and do a

show run;

The secret password in the running config is always different.

q1) is enable secret using md5 hashing or any other encryption ?

q2) why does the same password result in different encryption or hash result reach time ?

Regards,

Noob

johnd2310 · ‎07-16-2015

Hi,

Q1) Yes, enable secret is using MD5 hashing.

Q2) If the same password gave the same hash everytime, an attacker could try hashing a number of passwords until they got to one that matches your password. Therefore the hashes have to be different to thwart these type of attacks.

Thanks

John

**Please rate posts you find helpful**

View solution in original post

Rolf Fischer · ‎07-16-2015

Well, I'm not really a cryptography expert; perhaps somebody else can provide with more details.

My understanding of a rainbow table is the same as yours: "A list of precalculated hash results of a list of dictionary words".

Now, if the original plaintext is altered by adding a salt before the hash is calculated, those lists are useless.

I shouldn't have said 'protection against', is just makes it much more time-consuming to create lists for all possible plaintext + hash combinations.

HTH

Rolf

View solution in original post

johnd2310 · ‎07-16-2015

Hi,

Q1) Yes, enable secret is using MD5 hashing.

Q2) If the same password gave the same hash everytime, an attacker could try hashing a number of passwords until they got to one that matches your password. Therefore the hashes have to be different to thwart these type of attacks.

Thanks

John

**Please rate posts you find helpful**

SJ K · ‎07-16-2015

Hi Jond,

Thanks for the reply.

For q2) how does the hashes happen to different for the same password ? is a salt added to it ?

If that being so, how does 1 provide a password and still get authenticated ? is the salt being stored somewhere ?

Also, how does that prevent unauthorized entry ? a hacker could still try the different password combinations as the salt is applied by the switch/router automatically to the provided password, isn't it ?

Regards,
Noob

Rolf Fischer · ‎07-16-2015

Hi Guys,

I hope you allow me to join.

On closer inspection you will see that the password-hashes in IOS have a special format:

$1$<SALT>$<HASH>

The SALT is a semi-random string which is added to the plaintext before the MD5 hash is calculated.

This is a protection against so-called 'rainbow table attacks', just google 'salt' and 'rainbow table'!

HTH

Rolf

SJ K · ‎07-16-2015

Hi Rolf,

Thanks for the reply.

A rainbow table if i am not wrong, is a list of precalculated hash results of a list of dictionary words.

Comparing the hashed passwords against the list in the rainbow table for a match will reveal the actual password being used by the user.

Am i right ?

=================

q1) If that being so , how does the salt prevent a malicious user from brute-forcing into the system by just trying random password ? they are using the same login mechanism as the actual-user by just attempting/inputting different password per login

q2) if the salt prevent rainbow attack by having a random data appended to the plaintext before the m5 hash, the very 1st criteria is that the rainbow attack has a list of hashed (salt+password) to compared with.

now, isn't the system already compromised when the malicious user has that list of hashed password ?

q3) if the salt and hashed is stored together, wouldn't that malicious user, instead of using a rainbow table,

just recompute his list of dictionary text + the salt retrieved to dervied the hash result and compared against the hashed password in the retrieved list ?

Regards,

Noob

Rolf Fischer · ‎07-16-2015

Well, I'm not really a cryptography expert; perhaps somebody else can provide with more details.

My understanding of a rainbow table is the same as yours: "A list of precalculated hash results of a list of dictionary words".

Now, if the original plaintext is altered by adding a salt before the hash is calculated, those lists are useless.

I shouldn't have said 'protection against', is just makes it much more time-consuming to create lists for all possible plaintext + hash combinations.

HTH

Rolf

SJ K · ‎07-21-2015

Hi guys,

Sorry for the late reply and your points are duly noted.

I think the salted hash just assist to

i) hackers from being able to identify multiple account for same password

ii) waste more time as each rainbow table can only be use for 1 particular login.

Thanks!

Karsten Iwen · ‎07-17-2015

More on the usage of Salts can be found in the Wikipedia:

https://en.wikipedia.org/wiki/Salt_(cryptography)

And be aware that the usage of MD5 for Password hashing is considered a legacy way. Better use a more modern way like SHA256:

inet-home(config)#username TEST algorithm-type ?
  md5     Encode the password using the MD5 algorithm
  scrypt  Encode the password using the SCRYPT hashing algorithm
  sha256  Encode the password using the PBKDF2 hashing algorithm

inet-home(config)#username TEST algorithm-type sha256 secret ThisIsNotRealySecure
inet-home(config)#do sh run | i ^username TEST
username TEST secret 8 $8$ANrcesUzg7jTV.$w5c4lQinsKXSUXn2Mv3WgBO1yLqOx/7rhO0ZQi8w.Zs
inet-home(config)#

But you need an up-to-date IOS for that.