From robert_graham@uhaul.com Mon Feb 23 21:48:22 2015 From: Robert Graham To: freeradius-users@lists.freeradius.org Subject: Salted SHA security Date: Mon, 23 Feb 2015 13:48:07 -0700 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7213717758603645013==" --===============7213717758603645013== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Question for the Freeradius programmers/admins: How does the authentication for the Salted SHA-512 get handled? Yes, I know you can pull the hashed/salted password from a sql database or locally, but how does the FreeRadius server compare the users input password which would only be the first 64 bytesand the rest being the salt, when the user has only entered in their username and password at the prompts (I.E. mobile devices or laptops). Doesnt the server need to have the users password and salt to be able to compare the pulled password with the entered in password? Ive been trying to do the format that was discussed earlier by changing our code to be hash/salt appended not prepended, and by using Arrans suggestions of: update control { SSHA2-512-Password := "0x%{sql:query to get hash in hex concatenated with salt in hex}" or update control { Tmp-String-0 := "%{sql:SELECT hash FROM WHERE }" Tmp-String-1 := "%{sql:SELECT salt FROM
WHERE }" } update control { SSHA2-512-Password := "0x%{control:Tmp-String-0}%{control:Tmp-String-1}" If I use radtest everything works just fine locally, but once PEAP is integrated into the mix, it fails (i.e. laptop,cell phone). Am I reading the protocol compability matrix incorrectly then? Robert Graham Network Engineer U-Haul International 2727 N. Central Ave Phoenix, AZ 85004 --===============7213717758603645013==-- From a.cudbardb@freeradius.org Mon Feb 23 22:29:47 2015 From: Arran Cudbard-Bell To: freeradius-users@lists.freeradius.org Subject: Re: Salted SHA security Date: Mon, 23 Feb 2015 16:29:57 -0500 Message-ID: <951A8073-8275-4E6E-A62B-18CBBA459805@freeradius.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5054582437773924821==" --===============5054582437773924821== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit > On 23 Feb 2015, at 15:48, Robert Graham wrote: > > Question for the Freeradius programmers/admins: > > How does the authentication for the Salted SHA-512 get handled? > > Yes, I know you can pull the hashed/salted password from a sql database or > locally, but how does the FreeRadius server compare the users input > password which would only be the first 64 bytesand the rest being the > salt, when the user has only entered in their username and password at the > prompts (I.E. mobile devices or laptops). Doesnt the server need to have > the users password and salt to be able to compare the pulled password with > the entered in password? It needs the user's plaintext password yes. For EAP you'd need to use EAP-TTLS-PAP or some other method that'd give you the plaintext password. EAP-PEAP wraps MSCHAPv2 in TLS, and MSCHAPv2 doesn't give you the plaintext password. > If I use radtest everything works just fine locally, Great > but once PEAP is > integrated into the mix, it fails (i.e. laptop,cell phone). Am I reading > the protocol compability matrix incorrectly then? Yep. EAP-PEAP will only work if in the database, the user's password is MD4 hashed or it's in plaintext. There's a great article here which shows why knowing the MD4 password works: https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ ...and also shows why MSCHAPv2 isn't a great idea unless you can guarantee the TLS tunnel it established with a trusted party. If you could give us an idea of the client systems that'll be authenticating we might be able to offer suggestions on what EAP flavour/supplicant might work. -Arran Arran Cudbard-Bell FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 --===============5054582437773924821== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcvTWFjR1BHMiB2Mi4w LjI2CkNvbW1lbnQ6IEdQR1Rvb2xzIC0gaHR0cDovL2dwZ3Rvb2xzLm9yZwoKaVFJY0JBRUJBZ0FH QlFKVTY1dlZBQW9KRVArazFZS2Z0dGZLd09ZUC8zdSt6a3lFYm1Md0Y0NGhWclNONXFrMwpvNzFw MlVQdFBNMHpCY3VUOGFocDRLT0RNdWMwWFdpSEZXRzNZM1FySmlJSkxYdG1OSGljNnhBTmxMMVpB R05rCkNFRHhlK1duZFZxaCtaTHdycTU4OGpjNC95aTVvaG0weXJkZ2xjVGdsVk9Bd2oyUk43cEhv M2h2QXhQampxRWoKQ2daNVp2ME5lMzVOZzVLU0dMNkVsL0dLN2lRRTdCTlJyOU1hVFRNMkNVdUN2 TEV2ZnhLdTVpOUxrenh5b25DMQpJeFhKbmpnOHhkaHpxc1hJd3MyMUIzczRqenNoTW1veU5aajgx T2ZiS2F5ZUlKNzFTRjRjOHgyc0RPWnp3eGpSCmppdklMbHRJWGFyVkZwNVFLTytJQkllK3VScjcw RVplVk1RV1B3b29uQ2dKTUJYT1hUOGNSOXVMMFdTZ1VhTVoKRkp0NUxtYU1IUVVxZmVFbmNNUEYv TjRxck5RSXVvVENjQkNxNTFJbHdjSnNzVFoxUEFzeU85Tmg3TzgwbnRtZwpkb3hnUnlSRSsvTHgx ZUhiS2hZdWZBa3ZXK2UvbXhKZlZ1VWxtZWFHMGR2WlBMMGlXOStXT1ZBV2ZQeStJVmpvCnlrN29n M1g2YklLZGNjVVBpOE5WNUVmbWNrc3VDRUtwOWxhQXdpNFZiNWZROXBtcjNuOUxXRzlQYmx6QTN0 eGwKSmZ1eGdVb1JBZ1hZbkt2SDhtVlVseC9aZTNOamFFbWdjUkhmMU0wUTU2Y0g0RUR0MjVEUThY dkpTZDJNbGFweQoyZnB5dFpSVzhIKzUwWXI3TjhpYjFlWTNxSWRBQUtMeEZ0dTRlRVJnSDk5SnFw RDdYVjJNK2swVW5Va05DNHdXCnNubWpIUDlZMDRpUmlsdnNMUUtCCj1KQzdOCi0tLS0tRU5EIFBH UCBTSUdOQVRVUkUtLS0tLQo= --===============5054582437773924821==-- From aland@deployingradius.com Mon Feb 23 22:33:26 2015 From: Alan DeKok To: freeradius-users@lists.freeradius.org Subject: Re: Salted SHA security Date: Mon, 23 Feb 2015 16:33:20 -0500 Message-ID: <540C4C23-328E-4E5B-ABB2-E036403C636C@deployingradius.com> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4156710018330680981==" --===============4156710018330680981== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Feb 23, 2015, at 3:48 PM, Robert Graham wrote: > How does the authentication for the Salted SHA-512 get handled? Correctly? > Yes, I know you can pull the hashed/salted password from a sql database or > locally, but how does the FreeRadius server compare the users input > password which would only be the first 64 bytesand the rest being the > salt, when the user has only entered in their username and password at the > prompts (I.E. mobile devices or laptops). Doesnt the server need to have > the users password and salt to be able to compare the pulled password with > the entered in password? Please use standard terminology. That makes it easier to understand. The SSHA-Password is then password taken from (e.g.) a database. It=E2=80= =99s called =E2=80=9CSSHA=E2=80=9D password because it contains a salt, and a= SHA hash of the salt and the password. The User-Password is what the user entered when they tried to log in. You can compare the two by doing a SHA hash of the salt and User-Password. = If the result is the same as the SSHA-Password, then the User-Password is co= rrect. Otherwise, it=E2=80=99s not. > If I use radtest everything works just fine locally, but once PEAP is > integrated into the mix, it fails (i.e. laptop,cell phone). Am I reading > the protocol compability matrix incorrectly then? I have no idea. You=E2=80=99re not saying what part of the matrix you=E2= =80=99re reading, or what conclusions you draw from it. In short, PEAP is incompatible with salted passwords. SMD5, SSHA, SSHA512,= etc. None of them will work with PEAP. Alan DeKok. --===============4156710018330680981==--