Cisco Cisco Packet Data Gateway (PDG) Ratgeber Für Administratoren
System Security
Per-Chassis Key Identifier ▀
Cisco ASR 5500 System Administration Guide ▄
95
MIO/UMIO Synchronization
On boot up both MIO/UMIOs automatically read the chassis key configured on the ASR 5500 midplane.
Protection of Passwords
Users with privilege levels of Inspector and Operator cannot display decrypted passwords in the configuration file via
the ASR 5500 command line interface (CLI).
the ASR 5500 command line interface (CLI).
Secure Configuration Password Encryption
The system encrypts passwords using an MD5-based cipher. These passwords also have a random 64-bit (8-byte) salt
added to the password. The chassis key is used as the encryption key.
added to the password. The chassis key is used as the encryption key.
Using the chassis key allows for an encryption method where the decryption requires the knowledge of a “shared
secret”. Only a chassis with knowledge of this shared secret can access the passwords. To decipher passwords, a hacker
who knew the chassis key would still need to identify the location of the 64-bit random salt value within the encryption.
secret”. Only a chassis with knowledge of this shared secret can access the passwords. To decipher passwords, a hacker
who knew the chassis key would still need to identify the location of the 64-bit random salt value within the encryption.
The encrypted password is displayed with a prefixed of “+A” in the configuration file to identify the methodology used
for encrypting.
for encrypting.
Support for Non-Current Encryptions and Decryptions
The system supports previously formatted encrypted passwords. The syntax of the encrypted passwords indicates to the
ASR 5500 which methodology was used for encryption. If the system does not see a prefix before the encrypted
password, the earlier encryption method using a fixed key will be used. If the encrypted password includes the “+A”
prefix, the decryption method uses the chassis key and random salt.
ASR 5500 which methodology was used for encryption. If the system does not see a prefix before the encrypted
password, the earlier encryption method using a fixed key will be used. If the encrypted password includes the “+A”
prefix, the decryption method uses the chassis key and random salt.
If the user saves a new configuration, the generated file will always contain passwords encrypted by the most recent
method. The user cannot generate the earlier DES-based encryption values. However, all future StarOS releases will
continue to support plain-text password entry for all two-way encryptable passwords
method. The user cannot generate the earlier DES-based encryption values. However, all future StarOS releases will
continue to support plain-text password entry for all two-way encryptable passwords
The recommended process for changing the chassis key without causing a “lock-out” state is as follows:
Load the configuration file of the last good configuration using the previous chassis key.
Change the chassis key to the new desired value.
Save the configuration with this new chassis key.
Refer to Configuring a Chassis Key in System Settings for additional information.
Selectable Password/Secrets Encryption Algorithm
An administrator can specify the type of encryption algorithm to be used for passwords and secrets. The default
algorithm will be the MD5-based cipher (algorithm “A”) described above. Another option specifies the use of AES-
CBC-128 for encryption and HMAC-SHA1 for authentication (algorithm “B”).
algorithm will be the MD5-based cipher (algorithm “A”) described above. Another option specifies the use of AES-
CBC-128 for encryption and HMAC-SHA1 for authentication (algorithm “B”).
Use the Global Configuration mode cli-encrypt-algorithm command to specify the desired encryption algorithm – A
(default) or B. For additional information, refer to the Command Line Interface Reference.
(default) or B. For additional information, refer to the Command Line Interface Reference.