Cisco Cisco Packet Data Interworking Function (PDIF)
System Security
Per-Chassis Key Identifier ▀
ASR 5000 System Administration Guide, StarOS Release 18 ▄
123
Chassis Synchronization
Both SMCs in the same chassis must contain the same chassis key. If they do not, a failover from one SMC to another
would result in the configuration containing encrypted passwords which cannot be decrypted.
would result in the configuration containing encrypted passwords which cannot be decrypted.
Chassis synchronization occurs as follows:
When a secondary SMC comes up, it copies the chassis key from the primary SMC.
When a primary SMC changes its key, it also changes the key on the secondary SMC.
Whenever a user requests that the two SMCs synchronize, the chassis key on the secondary SMC is forced to
match the chassis key on the primary SMC.
Protection of Passwords
Users with privilege levels of Inspector and Operator cannot display decrypted passwords in the configuration file via
the ASR 5x00 command line interface (CLI).
the ASR 5x00 command line interface (CLI).
Secure Password Encryption
By default the system encrypts passwords using an MD5-based cipher. These passwords also have a random 64-bit (8-
byte) salt added to the password. The chassis key is used as the encryption key.
byte) salt added to the password. The chassis key is used as the encryption key.
Using the chassis key allows for an encryption method where the decryption requires the knowledge of a “shared
secret”. Only a chassis with knowledge of this shared secret can access the passwords. To decipher passwords, a hacker
who knew the chassis key would still need to identify the location of the 64-bit random salt value within the encryption.
secret”. Only a chassis with knowledge of this shared secret can access the passwords. To decipher passwords, a hacker
who knew the chassis key would still need to identify the location of the 64-bit random salt value within the encryption.
Passwords encrypted with MD-5 will have “+A” prefixes in the configuration file to identify the methodology used for
encrypting.
encrypting.
For release 15.0 and higher, another type of encryption algorithm can be specified. The Global Configuration mode cli-
encrypt-algorithm command allows an operator to configure the password/secret encryption algorithm. The default
encryption/password algorithm is MD-5 as described above (option A). A second password encryption algorithm
(option B) uses AES-CBC-128 for encryption and HMAC-SHA1 for authentication. The encryption key protects the
confidentiality of passwords, while the authentication key protects their integrity. Passwords encrypted with this key
will have “+B” prefixes in the configuration file.
encrypt-algorithm command allows an operator to configure the password/secret encryption algorithm. The default
encryption/password algorithm is MD-5 as described above (option A). A second password encryption algorithm
(option B) uses AES-CBC-128 for encryption and HMAC-SHA1 for authentication. The encryption key protects the
confidentiality of passwords, while the authentication key protects their integrity. Passwords encrypted with this key
will have “+B” prefixes in the configuration file.
The syntax for the cli-encrypt-algorithm command is:
config
cli-encrypt-algorithm { A | B }
Support for Non-Current Encryptions and Decryptions
The system supports previously formatted encrypted passwords. The syntax of the encrypted passwords indicates to the
ASR 5x00 which methodology was used for encryption. If the system does not see a prefix before the encrypted
password, the earlier encryption method using a fixed key will be used. If the encrypted password includes the “+A”
prefix, the decryption method uses the chassis key and random salt.
ASR 5x00 which methodology was used for encryption. If the system does not see a prefix before the encrypted
password, the earlier encryption method using a fixed key will be used. If the encrypted password includes the “+A”
prefix, the decryption method uses the chassis key and random salt.