Yet another Huawei weak password encryption scheme

Author: Roberto Paleari (@rpaleari)

Some months ago, we blogged about a weak password encryption scheme used by several Huawei products. In a nutshell, this scheme obfuscates and encrypts the password using DES with a hard-coded key.

After our notification, Huawei published a security advisory describing this issue. According to their advisory, Huawei solution was to "abandon DES algorithm and adopt AES256 algorithm". We were quite intrigued by this statement, also because the problem was not the adoption of DES per se, but the use of a hard-coded encryption key and no password salting. Thus, we decided to investigate the new AES256 scheme.

Unfortunately, we soon realized the new scheme is affected by security weaknesses very similar to those identified in the previous encryption scheme. Briefly, passwords encrypted with the new scheme can be recognized by the "%$%$" header and trailer. Decryption works as follows:
  1. Leading and trailing occurrences of string "%$%$" are removed.
  2. The ASCII encrypted text is translated into a binary string, using a custom algorithm.
  3. An AES key is derived by changing few bytes of a hard-coded password with a password salt (also stored with the encrypted text).
  4. AES 256 is applied, using the derived AES key and a hard-coded IV.
A Python procedure that implements this decryption algorithm is available here. Upon termination, procedure decrypt_password() returns the clear-text password.

We notified Huawei about this new weak encryption key on February 11th, 2013. As a countermeasure, we suggested to store only the cryptographic hash value of sensitive data (e.g., passwords and SNMP communities).

To the best of our knowledge, the only sensitive value currently stored using a hash is the console password. In this case, the device pads with NULLs the clear-text password to reach a length of 16 bytes, then computes a SHA-256 hash over the resulting string. Finally, the hash is encrypted using the custom "AES256" scheme described above. In all the other cases (e.g., user passwords and SNMP communities) the device simply encrypts the clear-text password using the "AES256" scheme.