topic Re: How are passwords and keys stored in PAN xml config files in General Topics

How are passwords and keys stored in PAN xml config files

rajqfs — Mon, 12 Dec 2011 19:20:28 GMT

Are they hashed before storing them in the config files? By the looks of them, it seems like the PAN appliance is storing them in an encrypted format. If so, can they be decrypted?

For example, an OSPF key is stored as follows

"-AQ==xxxxxxxxxxxxx=xxxxxxxxxxxxx=="

This pattern can be observed in almost all of the keys/passwords stored in the XML config. Is there a way to decrypt these keys. I am particularly interested in the OSPF MD5 keys as I need to add new routers to our network but I don't know the key.

Has anyone successfully decrypted a PAN key?

Thanks.

Re: How are passwords and keys stored in PAN xml config files

acamacho — Thu, 15 Dec 2011 18:57:19 GMT

Yes the passwords are hashed on the config file.

I have not heard of any case where someone has every decrypted the password or keys.

Below is a password policy document that might assist with your question.

Re: Password Policy

Hello,

This option is available by enabling FIPS mode (FIPS 140-2) on the FW, though the following options will also apply:

Federal Information Processing Standards Support:

• To log into the firewall, the browser must be TLS 1.0 compatible.

• All passwords on the firewall must be at least six characters.

• Accounts are locked after the number of failed attempts that is configured on theDevice > Setup > Management page. If the firewall is not in FIPS mode, it can be configured so that it never locks out; however in FIPS mode, and lockout time is required.

• The firewall automatically determines the appropriate level of self-testing and enforces the appropriate level of strength in encryption algorithms and cipher suites.

• Non-FIPS approved algorithms are not decrypted and are thus ignored during decryption.

• When configuring IPSec, a subset of the normally available cipher suites is available.

• Self-generated and imported certificates must contain public keys that are 2048 bits (or more).

• The serial port is disabled.

• Telnet, TFTP, and HTTP management connections are unavailable.

• Surf control is not supported.

• High availability (HA) encryption is required.

• PAP authentication is disabled..

Below is a Knowledgepoint Article regarding FIPS Mode:

https://live.paloaltonetworks.com/docs/DOC-1536

FIPS mode (enabling/details) can be referenced as well via your Admin Guide.

Re: How are passwords and keys stored in PAN xml config files

rajqfs — Thu, 15 Dec 2011 19:02:28 GMT

Hi. Thank you for your reply.

After going through the config files of different devices, I am pretty sure the passwords are not hashed but are encrypted.

What we see in the configuration files are definitely not hashes. So the PAN device must be doing something behind the scenes to decrypt these when using them. The question is what encryption/decryption scheme is being used in this case.

Thanks.

Re: How are passwords and keys stored in PAN xml config files

essnet — Fri, 16 Dec 2011 10:31:42 GMT

PAN documentation seems to be clear about it : XML config stored "encrypted" passwords and private keys:

Encrypting Private Keys and Passwords on the Firewall
*Device > Master Key and Diagnostics
Use the Master Key and Diagnostics page to specify a master key to encrypt private keys on the firewall. Private keys are stored in encrypted form by default even if a new master key is not specified.
 





Field


Description




Master Key


Specify the key that is currently used to encrypt all of the private keys andpasswords on the firewall.




New Master Key
Confirm Master Key


To change the master key, enter and confirm a new key.




Life Time


Specify the number of days and hours after which the master key expires.




Time for Reminder


Specify the number of days and hours before expiration when the user isnotified of the impending expiration.




Common Criteria


In Common Criteria mode, additional buttons are available to run acryptographic algorithm self-test and software integrity self-test. A scheduler is also included to specify the times at which the two self-tests will run.

Field	Description
Master Key	Specify the key that is currently used to encrypt all of the private keys andpasswords on the firewall.
New Master Key Confirm Master Key	To change the master key, enter and confirm a new key.
Life Time	Specify the number of days and hours after which the master key expires.
Time for Reminder	Specify the number of days and hours before expiration when the user isnotified of the impending expiration.
Common Criteria	In Common Criteria mode, additional buttons are available to run acryptographic algorithm self-test and software integrity self-test. A scheduler is also included to specify the times at which the two self-tests will run.

My understanding : PaloAlto is using some kind of secret passphrase that is used to encrypt passwords and private keys. If they are using right algorithms, it could be strong protection (AES-256 for example) as long as that passphrase doesn't get out of PA office or it's generated for each box out of factory. If you want extra security, go in Device -> Master Key and diagnostics and change the master key, but make sure you never loose that passphrase or you won't be able to restore from a cold backup.

When you create a case at PA support, you bring them your config XML or tech dump (which contains config). But they never ask you for a password to run their tests, 2 solutions : they change passwords in XML before importing, or they have default master key of all device they sell. I tend to believe second solution

Re: How are passwords and keys stored in PAN xml config files

rajqfs — Fri, 16 Dec 2011 16:11:06 GMT

Thank you. This is what I was looking for. Let me see if I can find out what encryption scheme is being used in this case.

Re: How are passwords and keys stored in PAN xml config files

essnet — Fri, 16 Dec 2011 16:14:51 GMT

I would like it to be documented as well because I found something that disturbs me :

PaloAlto support interface is based on cloud Salesforce.com solution and all attachments to cases (config file and tech dumps for example) are stored on Amazon S3.

It means that beside PaloAlto, SalesForce and Amazon employees may also have access to my configuration files which include some passwords and private keys (in addition of my filtering policies).

Re: How are passwords and keys stored in PAN xml config files

holmesw — Tue, 20 Dec 2011 16:59:24 GMT

You can sanitize the files before shipping them to PAN. I have not had any support problems caused by doing this.

Re: How are passwords and keys stored in PAN xml config files

essnet — Tue, 20 Dec 2011 17:21:51 GMT

Hello,

what do you mean by "sanitize" ?

Re: How are passwords and keys stored in PAN xml config files

holmesw — Tue, 20 Dec 2011 19:11:02 GMT

For sanitization, we use a sed script to remove the encryption strings and usernames from the XML configuration.

s/<phash>.*<\/phash>/<phash>xxxxxxxxxxxxxxxxxxxxxxxxxxx<\/phash>/
s/<secret>.*<\/secret>/<secret>xxxxxxxxxxxxxxxxxxxxxxxxxxx<\/secret>/
s/<key>.*<\/key>/<key>xxxxxxxxxxxxxxxxxxxxxxxxxxx<\/key>/
s/bubba/user1/
s/jimbob/user2/
s/pambob/user3/

...

Re: How are passwords and keys stored in PAN xml config files

Bart_Jocque — Mon, 26 Dec 2011 09:02:37 GMT

So what if you would want to add users via the XML rest API ?

Do you have to create the users with password in clear text or with the hashed password ?
If the answer is hashed-password, how could one generate this hash ?

Re: How are passwords and keys stored in PAN xml config files

essnet — Mon, 26 Dec 2011 09:05:01 GMT

Do you remove private keys also ? I have many private keys here for SSL decryption and VPN.

Re: How are passwords and keys stored in PAN xml config files

holmesw — Tue, 27 Dec 2011 12:55:14 GMT

Yes, we have removed the public and private keys. These seem to be at the beginning of the XML configuration file and can be manually removed.

Re: How are passwords and keys stored in PAN xml config files

essnet — Tue, 27 Dec 2011 12:57:34 GMT

After some investigations, the techdump.tgz file seems to be cleaned of its passwords and private keys, so techdumps are not a threat. Just be careful when you export the config.xml , this one has them all.

Re: How are passwords and keys stored in PAN xml config files

SRA — Thu, 29 Dec 2011 03:15:09 GMT

Hashed password. You can use openssl passwd to compute the md5 phash.

Re: How are passwords and keys stored in PAN xml config files

rgraves — Thu, 29 Dec 2011 03:58:17 GMT

Yes, administrator passwords for login to the firewall are hashed (looks like standard Linux/FreeBSD salted MD5), but what about passwords used externally? For example, the bind-password for LDAP or ActiveDirectory service accounts. Mine starts with <bind-password>-AQ==

Re: How are passwords and keys stored in PAN xml config files

ksteves1 — Tue, 03 Jan 2012 03:29:23 GMT

you can also use the 'request password-hash' operational mode CLI command.

Re: How are passwords and keys stored in PAN xml config files

Bart_Jocque — Tue, 03 Jan 2012 08:11:02 GMT

I also noticed that when I create users via the API in 4.1, I can send the passwords in clear.

Re: How are passwords and keys stored in PAN xml config files

IkramBaharum — Thu, 29 Aug 2013 21:33:37 GMT

guys,

Is this still the case for 5.0.X PAs ?

Re: How are passwords and keys stored in PAN xml config files

mikand — Fri, 30 Aug 2013 21:39:44 GMT

Given that PA recently got approved for various security oriented certificates I sure do hope this has been fixed or at least noted in these tests:

http://researchcenter.paloaltonetworks.com/2013/06/usgv6-for-ipv6-common-criteria-eal-4-and-certifications-that-matter-for-cybersecurity/

http://researchcenter.paloaltonetworks.com/2013/07/update-on-certifications-dept-of-defense-uc-apl/