The password encryption algorithm used in some recent versions of the Cisco IOS operating system is weaker than the algorithm it was designed to replace, Cisco revealed earlier this week.
The new encryption algorithm is called Type 4 and was supposed to increase the resiliency of encrypted passwords against brute-force attacks. "The Type 4 algorithm was designed to be a stronger alternative to the existing Type 5 and Type 7 algorithms," Cisco said Monday in a security response document published on its website.
However, due to an implementation error, the new algorithm generates password hashes -- cryptographic representations of passwords -- that are weaker than those generated by the Type 5 algorithm for equally complex passwords.
The issue was discovered by researchers Philipp Schmidt and Jens Steube of the Hashcat Project. Hashcat is a password recovery application.
The Type 4 algorithm was supposed to conform to the Password-Based Key Derivation Function version 2 (PBKDF2) standard in an implementation where 80 bits of random data are appended to the plaintext password -- a process known as salting -- and the resulting string is subjected to 1,000 iterations through the SHA-256 hashing function.
"Due to an implementation issue, the Type 4 password algorithm does not use PBKDF2 and does not use a salt, but instead performs a single iteration of SHA-256 over the user-provided plaintext password," Cisco said its advisory. "This approach causes a Type 4 password to be less resilient to brute-force attacks than a Type 5 password of equivalent complexity."
The Type 5 algorithm uses the MD5 hashing function that dates back to 1992 and has known security weaknesses, but its implementation uses salting and 1,000 iterations.
Salting and hash iteration are standard methods recommended by cryptography experts to make password hashes harder to crack and all password encryption algorithms should use them, Schmidt and Steube said Wednesday via email. If a password is passed through 1,000 hashing iterations, a brute-force attack would have to compute the hash 1,000 times for every password guess. This significantly increases the time and resources needed for a successful password recovery attack, the researchers said.
Only a limited number of Cisco IOS and Cisco IOS XE releases based on the Cisco IOS 15 code base support the Type 4 algorithm, Cisco said in its advisory. "Issues apply only to devices running Cisco IOS or Cisco IOS XE releases with support for Type 4 passwords, and only to the 'enable secret' and 'usernamesecret' commands," the company said. "No other Cisco IOS or IOS XE features use this algorithm to hash passwords or keys."
The company declined to name the exact affected products or IOS and IOS XE versions at this time. "We refer Cisco customers to our Security Response which provides important information on the use of Type 4 passwords in some Cisco IOS and IOS XE devices," a Cisco representative said Wednesday via email. "In some cases they may choose to revert to Type 5 passwords on these devices, so we have provided advice on how this can be achieved. We have also offered information on Cisco's plans to implement a new password type in future versions of IOS."
