PIX/ASA Has Incomplete Algorithm

[GoogleCodeExporter]

PIX/ASA code, 7.0 and later increases the maximum password length to 32 
characters.  When Cisco implemented this change in length they also altered the 
algorithm.  The following explains the alterations to the algorithm.

https://github.com/stekershaw/asa-password-encrypt/blob/master/README.md

My testing shows that it actually is slightly different than described here, 
and is as follows.

Password Length - Action

1-12 Characters  - Original PIX implementation
13-27 Characters - Original but Pad/Trim to 32 bytes instead of 16
28-32 Characters - Do not append username, Pad/Trim to 32 bytes

I have implemented this in my clone of the repository and successfully tested 
this against ASA code bases.

https://code.google.com/r/darrel-passlib/source/list

Original issue reported on code.google.com by darrel@darrelclute.net on 4 Jun 2014 at 2:03

[GoogleCodeExporter]

My apologies for not responding to this sooner. 

Thanks for noticing that update, and especially for including a reference.

I'd rather not change existing cisco_pix class, since that would break the 
behavior for 13+ char passwords (there are already a few such in passlib's 
unittests).  But this looks like a good addition as a separate cisco_pix7 hash. 

And would definitely love a link to the ASA code bases you tested it against... 
adding a new hash means adding the need for a bunch of reference test vectors :)

Original comment by elic@astllc.org on 16 Jun 2014 at 8:10

• Removed labels: Type-Defect

[GoogleCodeExporter]

I'd suggest if a new class is built, to do so as cisco_asa, effectively the 
same product, but there isn't code older than 7.0 that will work with the ASA.  
Just a suggestion though.  We'd also want to put a disclaimer that the 
cisco_pix class is for versions older than 7.0, and cisco_asa would be for 
everything 7.0 or newer.

I do not have links to versions that I can distribute, all of them were gained 
because of having access to SmartNet contracts with the product lines.  The 
versions that I tested on were 7.0.7, 7.2.4 and 8.0.4, both on PIX and ASA.  I 
also tested on 8.4.5, 9.1.4 and 9.1.5 on the ASA.

I tested this by using the modified class, as well as a paramiko connection to 
the ASA's, and compared the generated hashes from both the library as well as 
the devices to ensure that they were the same, not just between the library and 
a single device but also across versions.  I had done this with a series of 
usernames as well as a range of random passwords from 2 to 32 characters in 
length.  I could generate a table of these on a device and we can use these as 
the known hashes, what sample size would you prefer?

Original comment by darrel@darrelclute.net on 16 Jun 2014 at 11:08

[GoogleCodeExporter]

> I had done this with a series of usernames as well as a range of random 
passwords from 2 to 32 characters in length.  I could generate a table of these 
on a device and we can use these as the known hashes, what sample size would 
you prefer?

Samples would be wonderful! If you wanted to post the entire set you were 
testing with, that'd be fine with me -- I can pare it down to the essential 
ones later if needed. A good sample of different user name & password sizes 
(particular on / around those borders you identified) would be great.  

Also if you have any way to enter weird chars (accented characters, 0x01 - 0x19 
control chars, etc), I like to have those in the tests as well, to verify 
unicode behavior.

I'm hoping to get included in Passlib 1.7, which I'm hoping to get rolled out 
by the end of 2015 Q1.

- Eli

Original comment by elic@astllc.org on 25 Jan 2015 at 6:23

• Changed state: Accepted
• Added labels: Milestone-Release1.7, Type-Enhancement