Discussion:
chap-md5 authentication
(too old to reply)
Arko
2007-01-06 17:07:33 UTC
Permalink
I'm doing connection to apn by second layer gprs modem. I have implemented
PPP protcol with LCP and CHAP. And in this chap authentication I have
problem. Used by me is chap-md5. I have made this algorithm to calculate
response on challenge but value of this response is incorrect. I have read
that the response is calculated with session ID and secret and information
received from server (APN - authenticator), but how?.

Anyone knows how can I calculate this properly?

For any help I will be gratefull.

Arko
James Carlson
2007-01-07 20:55:34 UTC
Permalink
Post by Arko
I'm doing connection to apn by second layer gprs modem. I have implemented
PPP protcol with LCP and CHAP. And in this chap authentication I have
problem. Used by me is chap-md5. I have made this algorithm to calculate
response on challenge but value of this response is incorrect. I have read
that the response is calculated with session ID and secret and information
received from server (APN - authenticator), but how?.
Anyone knows how can I calculate this properly?
The first thing to check is whether the MD5 code you're using is
correct. There's a set of test vectors in RFC 1321. If your MD5
library isn't working, then you're not going to get CHAP working.

Assuming your MD5 code is correct, the information you need is in RFC
1994 section 4.1. In particular, if you were to receive a CHAP
Challenge message that looks like this (after removing any framing and
FCS in use):

FF 03 C2 23 01 01 00 08 01 02 03 04

That's a challenge value of "01 02 03 04" and an Identifier value of
01. You need to compute a CHAP Response based on your shared secret.
If that secret were "hello" (hex 68 65 6C 6C 6F), then you'd use this
as input to MD5:

01 68 65 6C 6C 6F 01 02 03 04

That MD5 hash is:

19 DB 7B EC D3 7C B9 DA 91 67 76 D0 23 78 09 B4

So, the CHAP Response you'd send would look like this:

FF 03 C2 23 02 01 00 14 19 DB 7B EC D3 7C B9 DA 91 67 76 D0 23 78 09 B4

(You're aware that there's freely-available software that implements
all of this, and that you don't need to code it up yourself, right?)
--
James Carlson 42.703N 71.076W <***@workingcode.com>
Patrick Klos
2007-01-08 13:55:12 UTC
Permalink
Post by James Carlson
Post by Arko
I'm doing connection to apn by second layer gprs modem. I have implemented
PPP protcol with LCP and CHAP. And in this chap authentication I have
problem. Used by me is chap-md5. I have made this algorithm to calculate
response on challenge but value of this response is incorrect. I have read
that the response is calculated with session ID and secret and information
received from server (APN - authenticator), but how?.
Anyone knows how can I calculate this properly?
The first thing to check is whether the MD5 code you're using is
correct. There's a set of test vectors in RFC 1321. If your MD5
library isn't working, then you're not going to get CHAP working.
Assuming your MD5 code is correct, the information you need is in RFC
1994 section 4.1. In particular, if you were to receive a CHAP
Challenge message that looks like this (after removing any framing and
FF 03 C2 23 01 01 00 08 01 02 03 04
That's a challenge value of "01 02 03 04" and an Identifier value of
01.
Slight typo. The value field must be preceeded by a Value-Size byte,
so for a challenge value of "01 02 03 04", the packet should really look
like this:

FF 03 C2 23 01 01 00 09 04 01 02 03 04

(I adjusted the Length field and added the Value-Size byte)
Post by James Carlson
You need to compute a CHAP Response based on your shared secret.
If that secret were "hello" (hex 68 65 6C 6C 6F), then you'd use this
01 68 65 6C 6C 6F 01 02 03 04
19 DB 7B EC D3 7C B9 DA 91 67 76 D0 23 78 09 B4
FF 03 C2 23 02 01 00 14 19 DB 7B EC D3 7C B9 DA 91 67 76 D0 23 78 09 B4
Again, the Value-Size byte must added to make this packet correct:

FF 03 C2 23 02 01 00 15 10 19 DB 7B EC D3 7C B9 DA 91 67 76 D0 23 78 09 B4
Post by James Carlson
(You're aware that there's freely-available software that implements
all of this, and that you don't need to code it up yourself, right?)
Awww, but where's the fun in that?!? ;^)

=========== For PPP Protocol Analysis, check out PacketView Pro! ===========
Patrick Klos Email: ***@klos.com
Klos Technologies, Inc. Web: http://www.klos.com/
============================================================================
James Carlson
2007-01-08 20:31:58 UTC
Permalink
Post by Patrick Klos
Post by James Carlson
FF 03 C2 23 01 01 00 08 01 02 03 04
That's a challenge value of "01 02 03 04" and an Identifier value of
01.
Slight typo. The value field must be preceeded by a Value-Size byte,
so for a challenge value of "01 02 03 04", the packet should really look
FF 03 C2 23 01 01 00 09 04 01 02 03 04
Dang. That's exactly what I'd intended to use, and I had a senior
moment.

Thanks for correcting and reading that closely. ;-}
Post by Patrick Klos
Post by James Carlson
(You're aware that there's freely-available software that implements
all of this, and that you don't need to code it up yourself, right?)
Awww, but where's the fun in that?!? ;^)
Apparently, all the fun is in staring at some packet traces wondering
why nothing is working right.
--
James Carlson 42.703N 71.076W <***@workingcode.com>
Unruh
2007-01-09 03:33:27 UTC
Permalink
Post by James Carlson
Post by Patrick Klos
Post by James Carlson
FF 03 C2 23 01 01 00 08 01 02 03 04
That's a challenge value of "01 02 03 04" and an Identifier value of
01.
Slight typo. The value field must be preceeded by a Value-Size byte,
so for a challenge value of "01 02 03 04", the packet should really look
FF 03 C2 23 01 01 00 09 04 01 02 03 04
Dang. That's exactly what I'd intended to use, and I had a senior
moment.
Thanks for correcting and reading that closely. ;-}
Post by Patrick Klos
Post by James Carlson
(You're aware that there's freely-available software that implements
all of this, and that you don't need to code it up yourself, right?)
Awww, but where's the fun in that?!? ;^)
Apparently, all the fun is in staring at some packet traces wondering
why nothing is working right.
Ah no, the fun is in putting out some system which impliments your
particular variation of ppp to thousands of users and imagining them
staring at packet traces wondering why nothing is working right.
Post by James Carlson
--
Arko
2007-01-09 06:56:26 UTC
Permalink
Thanks
I've done and now it works fine.

Best Regards
Arko
Post by Patrick Klos
Post by James Carlson
Post by Arko
I'm doing connection to apn by second layer gprs modem. I have implemented
PPP protcol with LCP and CHAP. And in this chap authentication I have
problem. Used by me is chap-md5. I have made this algorithm to calculate
response on challenge but value of this response is incorrect. I have read
that the response is calculated with session ID and secret and information
received from server (APN - authenticator), but how?.
Anyone knows how can I calculate this properly?
The first thing to check is whether the MD5 code you're using is
correct. There's a set of test vectors in RFC 1321. If your MD5
library isn't working, then you're not going to get CHAP working.
Assuming your MD5 code is correct, the information you need is in RFC
1994 section 4.1. In particular, if you were to receive a CHAP
Challenge message that looks like this (after removing any framing and
FF 03 C2 23 01 01 00 08 01 02 03 04
That's a challenge value of "01 02 03 04" and an Identifier value of
01.
Slight typo. The value field must be preceeded by a Value-Size byte,
so for a challenge value of "01 02 03 04", the packet should really look
FF 03 C2 23 01 01 00 09 04 01 02 03 04
(I adjusted the Length field and added the Value-Size byte)
Post by James Carlson
You need to compute a CHAP Response based on your shared secret.
If that secret were "hello" (hex 68 65 6C 6C 6F), then you'd use this
01 68 65 6C 6C 6F 01 02 03 04
19 DB 7B EC D3 7C B9 DA 91 67 76 D0 23 78 09 B4
FF 03 C2 23 02 01 00 14 19 DB 7B EC D3 7C B9 DA 91 67 76 D0 23 78 09 B4
FF 03 C2 23 02 01 00 15 10 19 DB 7B EC D3 7C B9 DA 91 67 76 D0 23 78 09 B4
Post by James Carlson
(You're aware that there's freely-available software that implements
all of this, and that you don't need to code it up yourself, right?)
Awww, but where's the fun in that?!? ;^)
=========== For PPP Protocol Analysis, check out PacketView Pro! ===========
Klos Technologies, Inc. Web: http://www.klos.com/
============================================================================
Loading...