| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 21 Mar 2013 19:13:59 +0100 From: Per Thorsheim <per@...rsheim.net> To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net> Subject: Re: [PHC] Password Hashing done wrong on CISCO IOS Den 21. mars 2013 kl. 18:15 skrev Marsh Ray <maray@...rosoft.com>: >> -----Original Message----- >> From: Per Thorsheim [mailto:per@...rsheim.net] >> Discovered & responsibly reported to Cisco by Jens Steube (+friend). Jens >> happens to be atom@...hcat.net, who should be a well-known person to >> this list I guess. ;-) > > Think we'll learn the details of the implementation error? > Well, at least I guess Jens should be able to share his side of this, but honestly I don't think that's the interesting part. This has to be a serious implementation error by somebody who doesn't know crypto well enough, and (crypto) QA / testing before the affected versions of IOS got released must have been weak, if at all present over the usual "if it reboots fine all is good" testing. Being pretty close to clueless about crypto myself, I can easily understand anyone who make mistakes when implementing it. However the difference between what should have been and what actually got implemented here sounds *very* far apart. That makes the entire process from implementation to release look even worse. I can only hope this was a "one-time event" due to a number of errors & failures throughout a rather large part of the lifecycle process at Cisco. While this implementation error may be bad, the root cause is much more of concern and potentially a problem to Cisco. Lets hope they get it right next time. Best regards, Per Thorsheim
Powered by blists - more mailing lists