Junos OS

Expand all | Collapse all

About $ 9 $ format or $ 8 $ format of the master-password documentation

  • 1.  About $ 9 $ format or $ 8 $ format of the master-password documentation

    Posted 09-05-2019 20:06

    The master-password documentation says $ 9 $ format or $ 8 $ format.

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/master-password-configuration-encryption.html#id-hardening-shared-secrets-in-junos-os

     

    Do you know what the specific formats are?



  • 2.  RE: About $ 9 $ format or $ 8 $ format of the master-password documentation

    Posted 09-05-2019 21:10

    Master password uses $8$ format.

    $9$ format (existing format)  is used to encrypt secrets like the RADIUS password, IKE preshared keys, and other shared secrets in the Junos OS configuration. 

     



  • 3.  RE: About $ 9 $ format or $ 8 $ format of the master-password documentation

     
    Posted 09-06-2019 12:00

    Hi

    The $9 format employ an obfuscation algorithm to map strings (weak encryption). Encoding involves a header of starting noise, followed by string encoding under essentially a Vigenère cipher.

     

    If you want a strong encryption for your configuration secrets, you can configure a master password. The master password is used to derive an encryption key that is used with AES256-GCM to encrypt configuration secrets. This new encryption method uses the $8$ formatted strings.

     

    The $8$-encrypted passwords have the following format:

    $8$crypt-algo$hash-algo$iterations$salt$iv$tag$encrypted

     

    Format Description

    crypt-algo

    Encryption/decryption algorithm to be used. Currently only AES256-GCM is supported.

    hash-algo

    Hash (prf) algorithm to be used for the PBKDF2 key derivation.

    iterations

    The number of iterations to use for the PBKDF2 hash function. Current iteration-count default is 100. The iteration count slows the hashing count, thus slowing attacker guesses.

    salt

    Sequence of ASCII64-encoded pseudorandom bytes generated during encryption that are to be used to salt(a random, but known string) the password and input to the PBKDF2 key derivation.

    iv

    A sequence of ASCII64-encoded pseudorandom bytes generated during encryption that are to be used as initialization vector for the AES256-GCM encryption function.

    tag

    ASCII64-encoded representation of the tag.

    encrypted

    ASCII64-encoded representation of the encrypted password.

     

    Hope this helps.



  • 4.  RE: About $ 9 $ format or $ 8 $ format of the master-password documentation

    Posted 09-11-2019 23:15

    Hi all.

    I have a similler question.

     

    Is "$9$ format" junos term ? 

    When I googled "$9$ format", but I cannot find general meaning.

    In $9$ or $8$, what does the numbers mean ?

     

    Regards,



  • 5.  RE: About $ 9 $ format or $ 8 $ format of the master-password documentation

     
    Posted 09-12-2019 17:06

    Hi

    The '$9' or '$8' represents the starting string in the encryted password(which is being shown in configuration) and indicate the type of encryption used.

    eg:

    "$9$01X/1EyM87s2alK2aZU.mO1R"

     $9 format in Juniper is similar to the type 7 in cisco

     

     

    Regards

     



  • 6.  RE: About $ 9 $ format or $ 8 $ format of the master-password documentation

    Posted 09-12-2019 18:24

    Hi, Is there a table for $ 9 format?



  • 7.  RE: About $ 9 $ format or $ 8 $ format of the master-password documentation

     
    Posted 09-13-2019 12:19

    Hi 

    $9 is not having a structured format unlike $8. It is encrypted by shifting the alphabets like a Vigenère cipher

    https://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher