cisco_asa test vectors need verification

Issue #51 resolved
Anonymous created an issue

UPDATE 2016-6-27: Issue was previously named "PIX/ASA Has Incomplete Algorithm". This was fixed in 1.7, with the addtion of the "cisco_asa" hash; but the test vectors need verifying on an ASA firewall, see below.


Imported from Google Code

darrel@darrelclute.net wrote:

PIX/ASA code, 7.0 and later increases the maximum password length to 32 characters. When Cisco implemented this change in length they also altered the algorithm. The following explains the alterations to the algorithm.

https://github.com/stekershaw/asa-password-encrypt/blob/master/README.md

My testing shows that it actually is slightly different than described here, and is as follows.

Password Length - Action

1-12 Characters - Original PIX implementation
13-27 Characters - Original but Pad/Trim to 32 bytes instead of 16
28-32 Characters - Do not append username, Pad/Trim to 32 bytes

I have implemented this in my clone of the repository and successfully tested this against ASA code bases.

https://code.google.com/r/darrel-passlib/source/list

Comments (9)

  1. Eli Collins repo owner
    • removed type

    (Imported from Google Code)

    My apologies for not responding to this sooner.

    Thanks for noticing that update, and especially for including a reference.

    I'd rather not change existing cisco_pix class, since that would break the behavior for 13+ char passwords (there are already a few such in passlib's unittests). But this looks like a good addition as a separate cisco_pix7 hash.

    And would definitely love a link to the ASA code bases you tested it against... adding a new hash means adding the need for a bunch of reference test vectors :)

  2. Anonymous

    (Imported from Google Code)

    darrel@darrelclute.net wrote:

    I'd suggest if a new class is built, to do so as cisco_asa, effectively the same product, but there isn't code older than 7.0 that will work with the ASA. Just a suggestion though. We'd also want to put a disclaimer that the cisco_pix class is for versions older than 7.0, and cisco_asa would be for everything 7.0 or newer.

    I do not have links to versions that I can distribute, all of them were gained because of having access to SmartNet contracts with the product lines. The versions that I tested on were 7.0.7, 7.2.4 and 8.0.4, both on PIX and ASA. I also tested on 8.4.5, 9.1.4 and 9.1.5 on the ASA.

    I tested this by using the modified class, as well as a paramiko connection to the ASA's, and compared the generated hashes from both the library as well as the devices to ensure that they were the same, not just between the library and a single device but also across versions. I had done this with a series of usernames as well as a range of random passwords from 2 to 32 characters in length. I could generate a table of these on a device and we can use these as the known hashes, what sample size would you prefer?

  3. Eli Collins repo owner
    • assigned issue to True
    • changed status to open
    • changed type to enhancement
    • changed Milestone to 1.7

    (Imported from Google Code)

    > I had done this with a series of usernames as well as a range of random passwords from 2 to 32 characters in length. I could generate a table of these on a device and we can use these as the known hashes, what sample size would you prefer?

    Samples would be wonderful! If you wanted to post the entire set you were testing with, that'd be fine with me -- I can pare it down to the essential ones later if needed. A good sample of different user name & password sizes (particular on / around those borders you identified) would be great.

    Also if you have any way to enter weird chars (accented characters, 0x01 - 0x19 control chars, etc), I like to have those in the tests as well, to verify unicode behavior.

    I'm hoping to get included in Passlib 1.7, which I'm hoping to get rolled out by the end of 2015 Q1.

    - Eli

  4. Eli Collins repo owner

    Thanks for the implementation! I've merged it into the default branch as of rev ce9717b6a20f -- though it's been split out as a separate "cisco_asa" hash.

    Additionally, that revision also adds test vectors which I think should hit all the border cases of the algorithm, if someone has access to verify them against the official implementation.

    There's also a unicode string at the end -- if Cisco offers some way of typing an "á", it'd be great to determine what encoding they use.

  5. Eli Collins repo owner

    As of 1.7.1, the cisco_asa hash internals were reworked to fix some edge cases, the test suite expanded drastically, and all verified against an ASA 9.6 firewall. Unless there is an unreported change between ASA 7.0 and 9.6's hash algorithm, the ASA hashes should now be reasonably solid.

  6. Log in to comment