Irreal regulars know that I periodically go off an a rant about the proper hashing of passwords and the dire consequences of failing to do it correctly. Not even I, however, could have imagined that Cisco would get it wrong. And not just a little wrong but massively and totally wrong.
In fairness, I should say up front that Cisco has acknowledged the problem and issued a bulletin on how to detect if a given piece of equipment is affected and how to deal with the problem if so. Also, Cisco is saying that the problem is an implementation, not a design issue.
With the Cisco IOS 15 codebase, a new type of password—Password Type 4—was introduced. Apparently, the design called for this to be a SHA256-based PBKDF2 hash with an 80-bit salt and 1000 iterations. The idea was to replace the weaker Password Type 5, which is an MD5-based hash that was salted and repeated 1000 times. That makes sense but unfortunately the implementation merely hashed the unsalted password with SHA256 one time. The result is a password that is easily broken as demonstrated by Philipp Schmidt and Jens Steube.
It’s hard to understand how this sort of thing could get by QA. Any time you change a cryptographic primitive it is, or should be, a big deal that requires careful scrutiny and testing. If, indeed, the design called for PBKDF2 hashing, it’s hard to see why the developer would use a single pass of SHA256 instead and how that error could get by any serious code review. If the design didn’t call for PBKDF2, it’s equally hard to understand why any developer with even a modicum of security awareness would not raise an alarm. This is not new stuff. The ideas have been around for a long time. Even the original Unix DES-based password hash from the 70s used multiple iterations and a salt.
The lesson is clear. Unless you, too, want to be the object of near universal derision (and probably fired) use one of the accepted methods for safely storing passwords. Don’t just encrypt them, don’t just run them through a single pass of some hash, and for goodness sake don’t store them in plain text.