Question : Problem: should I leave the "enc_GroupPwd" parameter in .pcf file filled in

Experts,
I am configuring connection entries for Cisco VPN client 4.8.1 and am wondering if it is ok to leave the "enc_GroupPwd" parameter filled in on the .pcf file for distrobution. Would this be a security risk?

My cofig looks like this (xxxx means private info):
[main]
Description=XXXXX
Host=XXXXX
AuthType=1
GroupName=XXXXX
GroupPwd=
enc_GroupPwd=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
EnableISPConnect=0
ISPConnectType=1
ISPConnect=
ISPCommand=
Username=
SaveUserPassword=0
UserPassword=
enc_UserPassword=
NTDomain=XXXX
EnableBackup=0
BackupServer=
EnableMSLogon=1
MSLogonType=0
EnableNat=1
TunnelingMode=0
TcpTunnelingPort=XXXXX
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=XXXXX
SendCertChain=0
VerifyCertDN=
DHGroup=2
ForceKeepAlives=0
PeerTimeout=90
EnableLocalLAN=0

Thanks,

Answer : Problem: should I leave the "enc_GroupPwd" parameter in .pcf file filled in

The algorithm is actually flawed and crackable , there are tools availble to crack it  so its pretty easy to crack.

The current date as a string is retrieved (e.g. Mon Sep 19 20:00:00 2005)
 * Then a SHA-1 Hash h1 is computed (20 Bytes)
 * h1 is modified and a new Hash h2 is calculated
 * h1 is again modified and h3 is calculated
 * the 3DES key is made of h2 and the first 4 bytes of h3
 * The password is encrypted using 3DES in CBC Mode. The IV consists of the first 8 Bytes from h1.
 * The algorithm computes a last hash h4 from the encrypted pasword
 * The key enc_UserPassword in our profile file now looks like ths: h1|h4|encrypted password


But the question is why would i go to the trouble of trying to crack the password when i can simply import the pcf into a cisco VPn client and not need to know the password at all to gain access to attempting to login to the tunnel.

Random Solutions  
 
programming4us programming4us