Provisioning Lawful Intercept - Cisco ASR 5000 Administration Manual

Provisioning Lawful Intercept

one-way, it is not possible to derive user passwords from the stored hash values. Thus it is not possible to
convert existing hashed passwords to strongly hashed passwords automatically.
To update the database, a Security Administrator must run the Exec mode update local-user database CLI
command. When this command is executed, StarOS reads the database from the /flash directory, reconstructs
the database in the new format, and writes it back to the disk.
The database upgrade process does not automatically convert MD5 hashed passwords into the PBKDF2
format. StarOS continues to authenticate users using the old encryption algorithm. It flags the users using the
old encryption algorithm with a "Weak Hash" flag. This flag appears in the output of the show local-user
[verbose] Exec mode CLI command. When users re-login with their credentials, StarOS verifies the entered
password using the MD5 algorithm, then creates a new hash using the PBKDF2 algorithm and then saves the
result in the database. StarOS then clears the "Weak Hash" flag for that user.
Important
To downgrade the local-user database to use the MD5 hash algorithm, a Security Administrator must run the
Exec mode downgrade local-user database command. StarOS prompts for confirmation and requests the
Security Administrator to reenter a password. The entered password re-authenticates the user prior to executing
the downgrade command. After verification, the password is hashed using the appropriate old/weak encryption
algorithm and saved in the database to allow earlier versions of StarOS to authenticate the Security
Administrator.
The downgrade process does not convert PBKDF2 hashed passwords to MD5 format. The downgrade process
re-reads the database (from the /flash directory), reconstructs the database in the older format, and writes it
back to the disk. Since the PBKDF2 hashed passwords cannot be converted to the MD5 hash algorithm, and
earlier StarOS releases cannot parse the PBKDF2 encryption algorithm, StarOS suspends all those users
encrypted via the PBKDF2 algorithm. Users encrypted via the MD5 algorithm ("Weak Hash" flag) can continue
to login with their credentials. After the system comes up with the earlier StarOS release, suspended users
can be identified in the output of the show local-user [verbose]command.
To reactivate suspended users a Security Administrator can:
• Set temporary passwords for suspended users, using the Exec mode password change local-user
• Reset the suspend flag for users, using the Configuration mode no suspend local-user username
Provisioning Lawful Intercept
Lawful Intercept (LI) functionality allows a network operator to intercept control and data messages to and
from targeted mobile users. Accompanied by a court order or warrant, a Law Enforcement Agency (LEA)
initiates a request for the network operator to start the interception for a particular mobile user.
There are different standards followed for Lawful Intercept in different countries. The LI Configuration Guide
describes how the feature works as well as how to configure and monitor the feature for each of the StarOS
services that support Lawful Intercept. This guide is not available on www.cisco.com. It can only be obtained
by contacting your Cisco account representative.
Security-related limitations on Lawful Intercept provisioning are described in Lawful Intercept Restrictions
section of the System Security chapter.
ASR 5000 System Administration Guide, StarOS Release 21.1
52
Since hash functions are one-way, it is not possible to convert PBKDF2 hashed passwords to the MD5
format. The local-user database must be downgraded prior to reverting to StarOS releases prior to 20.0.
username command.
command.
System Settings