[Chilli] CoovaChilli uam secret / RADIUS secret causing
Luis Ferreira
lferreira at cabocom.cv
Tue Apr 29 21:59:23 UTC 2014
This is by design to increase security on a CHAP.
Imagine the following:
In your design, I could sniff the network traffic, and knowing account
password (a subscriber), the computer mac and the generated hash, I could
possibly reverse engineer to get your radius secret.
Then, with the radius secret, I could sniff for other accounts password,
since I could see the MAC, secret and encrypted hash, or even worst things.
But obviously while true and possible, I don't know up to what point someone
will spend his time doing that (except me on a booring weekend :) )
Luis
-----Mensagem original-----
De: chilli-bounces at coova.org [mailto:chilli-bounces at coova.org] Em nome de
james at purple.so
Enviada: 29 de abril de 2014 20:29
Para: chilli at coova.org
Assunto: Re: [Chilli] CoovaChilli uam secret / RADIUS secret causing
Hi Luis
Thanks very much for your reply.
Yes, I had thought this may be the issue, but I assumed that coova does not
re-generate a new challenge for every HTTP request a client makes. To test,
I opened 10 tabs in my browser, and 5 tabs in another browser, and the
"challenge" value in the URL was the same across them all. We notice the
challenge does change after around 10 minutes though (it must time out)...
We've recently modified the coova code to generate the challenge based on
something more unique to the user (their mac address, plus a secret, then
hashed), rather than what coova uses by default (a 16 character string from
/dev/random), so now, the challenge is unique per client MAC, and therefore
no matter what sessions they have open it will always be the same
"challenge". Does that make sense? Even if they return in 1 hour, the
challenge is the same, and only we know what the challenge is made up from
on our external splash page side.
But, I think coova should ensure that the same challenge is given to the
same client MAC, as without it, it's near impossible to know which challenge
to use at the correct one when encrypting the password to send back to coova
for the login (we use an external splash page).
What are your thoughts?
Thanks
James
_______________________________________________
Chilli mailing list
Chilli at coova.org
http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
More information about the Chilli
mailing list