How to enable Freeradius to support a smart card with AES encryption algorithm?
yao guoxian
yaoguoxian at gmail.com
Thu Feb 1 13:50:19 CET 2007
Hi!
I have a smart card emluator which suports AES, not MD5 encryption
algorithm. Is it possible to enable Freeradius to support my smart card
emlulator?
I have an idea as follow:
First,amending client agent (NAS) daemon program to make it send
chap-password which is produced with AES, not MD5. The usual md5
chap-password is produced as MD5( user-packet-ID+user-secret+16 bytes
authenticator), while the aes chap-password is produced as AES(16 bytes
authenticator) using user-secret as key.The usual md5 chap-passwor attribute
in an Access Request packet is as follow:
__________________________________________________
| code = 3 | Length = 19 | user-packet-ID | 16 bytes value|
__________________________________________________
While the aes chap-password replaced the 16 bytes value ( MD5(
user-packet-ID+user-secret+16 bytes authenticator)) with AES(16 bytes
authenticator).
Second ,amending rlm-chap.c to alter it to use AES to analyze the
request packet.
Is it practical? Appreciate any suggestions.
regards
Guoxian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070201/9b03af3b/attachment.html>
More information about the Freeradius-Users
mailing list