Some months ago, we blogged about a weak password encryption scheme used by several Huawei products. In a nutshell, this scheme obfuscates and encrypts the password using DES with a hard-coded key.
After our notification, Huawei published a security advisory describing this issue. According to their advisory, Huawei solution was to "abandon DES algorithm and adopt AES256 algorithm". We were quite intrigued by this statement, also because the problem was not the adoption of DES per se, but the use of a hard-coded encryption key and no password salting. Thus, we decided to investigate the new AES256 scheme.
Unfortunately, we soon realized the new scheme is affected by security weaknesses very similar to those identified in the previous encryption scheme. Briefly, passwords encrypted with the new scheme can be recognized by the "%$%$" header and trailer. Decryption works as follows:
We notified Huawei about this new weak encryption key on February 11th, 2013. As a countermeasure, we suggested to store only the cryptographic hash value of sensitive data (e.g., passwords and SNMP communities).
To the best of our knowledge, the only sensitive value currently stored using a hash is the console password. In this case, the device pads with NULLs the clear-text password to reach a length of 16 bytes, then computes a SHA-256 hash over the resulting string. Finally, the hash is encrypted using the custom "AES256" scheme described above. In all the other cases (e.g., user passwords and SNMP communities) the device simply encrypts the clear-text password using the "AES256" scheme.
After our notification, Huawei published a security advisory describing this issue. According to their advisory, Huawei solution was to "abandon DES algorithm and adopt AES256 algorithm". We were quite intrigued by this statement, also because the problem was not the adoption of DES per se, but the use of a hard-coded encryption key and no password salting. Thus, we decided to investigate the new AES256 scheme.
Unfortunately, we soon realized the new scheme is affected by security weaknesses very similar to those identified in the previous encryption scheme. Briefly, passwords encrypted with the new scheme can be recognized by the "%$%$" header and trailer. Decryption works as follows:
- Leading and trailing occurrences of string "%$%$" are removed.
- The ASCII encrypted text is translated into a binary string, using a custom algorithm.
- An AES key is derived by changing few bytes of a hard-coded password with a password salt (also stored with the encrypted text).
- AES 256 is applied, using the derived AES key and a hard-coded IV.
We notified Huawei about this new weak encryption key on February 11th, 2013. As a countermeasure, we suggested to store only the cryptographic hash value of sensitive data (e.g., passwords and SNMP communities).
To the best of our knowledge, the only sensitive value currently stored using a hash is the console password. In this case, the device pads with NULLs the clear-text password to reach a length of 16 bytes, then computes a SHA-256 hash over the resulting string. Finally, the hash is encrypted using the custom "AES256" scheme described above. In all the other cases (e.g., user passwords and SNMP communities) the device simply encrypts the clear-text password using the "AES256" scheme.
Can you confirm the model(s) tested on for this issue?
ReplyDeleteSorry for the (very) late reply: we tested this issue on a AR1220 router.
DeleteCould you provide a sample enciphered key as that decode method does not seem to work.
ReplyDeleteSure, the following string decodes to "emaze":
Delete%$%$E_$9/>PD%Y2/yE;j:W+>,0'{%$%$
Thats great thanks
DeleteLonger passwords change the cipher length to 48 (from 24). Then the Python script does not work anymore. What do I need to change to decode the following?
Delete%$%$2o_**!=WaP\X|uC)lU)C.&Z~uf.Q%gw=t<%$U^HdP{=N&ZB.%$%$
Longer passwords change the cipher length to 48 (from 24). Then the Python script does not work anymore. What do I need to change to decode the following?
ReplyDelete%$%$2o_**!=WaP\X|uC)lU)C.&Z~uf.Q%gw=t<%$U^HdP{=N&ZB.%$%$
I see that the newest Huawei firmware changed the encryption scheme. Ciphers are now enclosed by %@%@ instead of %$%$
ReplyDeleteabcdefgh is encoded to
%@%@h!d9FrDys$f4dX.tqrXI~`g3%@%@.
abcedfghij0123456789 is encoded to %@%@N(!P0M6|OKues.9N~&VU~axRx[588c8f%L*y9$DcV=>KaxU~%@%@
How is this done?
Why is this forum so quiet???
ReplyDeleteCan someone please tell me how to generate the cipher. Especially with longer passwords. It seems that it works in blocks of 16 characters...
Can you decrypt cipher password below ?
ReplyDelete%$%$tPcu;1_m0>7]riEjnMMK,jaX%$%$
Help me please. Thanks a lot !!!
Can You please decrypt this?:
ReplyDelete%$%$MG3c3an_o*[N1J/=P4b5,kbYJ1[($sBY2#K8:A:H
how to use your script? Thank you to make an example
ReplyDeleteThis comment has been removed by the author.
ReplyDeletehello,
ReplyDeleteCan some help me decrypt this:-
set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!