lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 21 Mar 2013 19:13:59 +0100
From: Per Thorsheim <>
To: "" <>
Subject: Re: [PHC] Password Hashing done wrong on CISCO IOS

Den 21. mars 2013 kl. 18:15 skrev Marsh Ray <>:

>> -----Original Message-----
>> From: Per Thorsheim []
>> Discovered & responsibly reported to Cisco by Jens Steube (+friend). Jens
>> happens to be, who should be a well-known person to
>> this list I guess. ;-)
> Think we'll learn the details of the implementation error?
Well, at least I guess Jens should be able to share his side of this, but honestly I don't think that's the interesting part. This has to be a serious implementation error by somebody who doesn't know crypto well enough, and (crypto) QA / testing before the affected versions of IOS got released must have been weak, if at all present over the usual "if it reboots fine all is good" testing.

Being pretty close to clueless about crypto myself, I can easily understand anyone who make mistakes when implementing it. However the difference between what should have been and what actually got implemented here sounds *very* far apart. That makes the entire process from implementation to release look even worse. I can only hope this was a "one-time event" due to a number of errors & failures throughout a rather large part of the lifecycle process at Cisco.

While this implementation error may be bad, the root cause is much more of concern and potentially a problem to Cisco. Lets hope they get it right next time.

Best regards,
Per Thorsheim

Powered by blists - more mailing lists