Friday, May 3, 2013

Securing PSK in cisco IOS routers

A cisco routers that does VPN ipsec connections, have always left the PSK ( pre-shared-key) in the clear in the running/startup config.

This is a problematic issue,  in that if download or send the cfg via  unsecured channels without any redaction,  any 3rd party has access to the in  the clear  PSK which should be private and confidential.

Cisco has offer a feature to encrypt the PSK in any IOS running advance security start around 12.4 iirc.

e.g

B4  enabling encryption the  PSK would be;

  pre-shared-key address 192.0.2.1 key mypasswordintheclear
  pre-shared-key address 192.0.2.2 key mypasswordintheclear


And after;

  pre-shared-key address 192.0.2.1 key 6 A_XHDqUae_PAOPCUQUlDoNcPiKhEcE[
  pre-shared-key address 192.0.2.2 key 6 BDLJbF`SXINVWObsgP]UGWgQeJBPIA


The later is considered secured with AES and this one hash is not recoverable.

The means to do this are the following ios config lines;


config  term
 

   key config-key  password-enc mykeyhere
   password encryption aes

end


Now key points to take away;

  •   this hash type 6 is not recoverable
  •   if you forget what your PSK is  and nor can the far-end confirm your left with no choice but to re-key  a new PSK
 NOTE: if you try to undo the encryption you will be reminded  via this warning.

config t
 
no key config-key password-encrypt     
    
WARNING: All type 6 encrypted keys will become unusable
Continue with master key deletion ? [yes/no]: yes
 
I hope you find this TIP useful , and we should always  change  the vpn PSK on a regular cycle imho.

Ken Felix
Freelance Network/Security  Engineer
kfelix -------at----- hyperfeed -------dot----com

       ^     ^
= ( @   @ ) =
          o
         ~







No comments:

Post a Comment