3 Replies Latest reply: May 12, 2009 2:17 AM by Paul Stewart - CCIE Security RSS

    How the IOS checks passwords against an md5 hash value?

    amine00

      Hi guys,

       

      First, my understanding of the MD5 hash value was that it's a 128 bit unique value represnting an encryption of an input data.

      I said unique because when I usually download an iso file of linux, I check its md5 sum and I need to find a given value distributed by the download site. Otherwise, the iso file would be corrupted.

       

      And my understanding of an authentication process against an md5 hash is that when you type a text password, the router takes this password and applies the md5 algorithm on it to generate a hash, and then compares this calculated hash to the stored hash. If the value is the same, then permission is granted, otherwise persmission is denied

       

      Ok, now I'm being confused about how Cisco IOS handles an md5 encryption and authentication process because:

       

      1. Whenever I generate an md5 encrypted password, the resulting hash is different while the password is the same. Example:

       

      Router(config)#username amine secret cisco
      Router(config)#do sh run | include username
      username amine secret 5 $1$FOMe$cMMrqnqw9JAgymVEUnPWZ1
      Router(config)#username amine secret cisco
      Router(config)#do sh run | include username
      username amine secret 5 $1$BNYO$Tj4TcNVecImsT09EAjS/v0
      Router(config)#username amine secret cisco
      Router(config)#do sh run | include username
      username amine secret 5 $1$J5aF$/SBPqPcwFi./Qiuegp7Ei0
      Router(config)#username amine secret cisco
      Router(config)#do sh run | include username
      username amine secret 5 $1$UebT$9UeSbRVsx7WQW0nErWNPa0

       

      It seems for me that the hash is not unique. So is there any 'salt' added by the router to the algorithm each time it generates a hash? if so, where this salt is stored? because it'll be needed to verify an authentication request.

       

      2. I read that the hash value is usually represented by a 32 digit hexadecimal sequence. Why it's not the case with Cisco IOS?