[rancid] Update configs by an external means

doug.hughes at keystonenap.com doug.hughes at keystonenap.com
Fri Oct 6 01:08:31 UTC 2017


ha. Simple obfuscation.

It seems like it wouldn't be too difficult to take the shared-secret, not print them into the main config, and store them in a separate file that wouldn't be svn diffed.... I think..


Sent from my android device.

-----Original Message-----
From: Alex DEKKER <rancid at ale.cx>
To: rancid-discuss at shrubbery.net
Sent: Thu, 05 Oct 2017 18:46
Subject: Re: [rancid] Update configs by an external means

The encryption key for the tunnel must be encrypted with some kind of 
reversible encryption [not least because you can see it unencrypted in 
the web interface]. The shared-secret field is also present in lots of 
places other than VPN tunnels [eg RADIUS secrets].

I have done some testing:
- Any of the outputted versions of the shared-secret work and decrypt 
back to the same shared-secret.
- Large amounts of the shared-secret are padding [to be expected really 
as the plaintext shared secret is of variable length but always encodes 
to the same length].

For example, the shared-secret 'bagsworth' encrypted to:

shared-secret 
4,e903b6311e5e345e6d36a055d78ee628c21bf9176ed43d083408218d71e48e9425f69649f36783318de12f1ea0b0c90b6d623f71f17b7aade8d2570d9d14d10ea4ea5c0834f337bfb2031a84baadd3005b3808f2de576a89be1707dc9d138fbd2eb3d8785ce16259a340a87d515c678731b1489409b766165cdbc58dae13b104cacb2b656903c50a

which through trial and error, could be input as:

shared-secret 
4,e903b6311e5e345e6d36a055d78ee628c21bf9176ed43d0800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

and still decrypt correctly. Replace the final 8 with a zero and it 
decrypts as bagswort��G<lots of nonsense>.

alexd

On 05/10/17 16:05, Doug Hughes wrote:
>
> It would be interesting to know if :
>
> you can restore the shared-secret from any of the various outputed one
> you can only restore from the latest one
> you can restore without having it at all.
>
> Do you have any test devices to confirm?
>
> It strikes me as slightly problematic from a security perspective that 
> it would be possible to restore from any of these, because it means 
> that you can just keep dumping the config over and over and over again 
> and get a large sampling of these encrypted strings. If they are all 
> equivalent, it implies that the key space may not be sufficient since 
> the more you print it, there's a lot of information leakage.
>
>

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20171005/8c7c95ee/attachment.html>


More information about the Rancid-discuss mailing list