chap-md5 authentication - PPP

This is a discussion on chap-md5 authentication - PPP ; I'm doing connection to apn by second layer gprs modem. I have implemented PPP protcol with LCP and CHAP. And in this chap authentication I have problem. Used by me is chap-md5. I have made this algorithm to calculate response ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: chap-md5 authentication

  1. chap-md5 authentication

    I'm doing connection to apn by second layer gprs modem. I have implemented
    PPP protcol with LCP and CHAP. And in this chap authentication I have
    problem. Used by me is chap-md5. I have made this algorithm to calculate
    response on challenge but value of this response is incorrect. I have read
    that the response is calculated with session ID and secret and information
    received from server (APN - authenticator), but how?.

    Anyone knows how can I calculate this properly?

    For any help I will be gratefull.

    Arko




  2. Re: chap-md5 authentication

    "Arko" writes:
    > I'm doing connection to apn by second layer gprs modem. I have implemented
    > PPP protcol with LCP and CHAP. And in this chap authentication I have
    > problem. Used by me is chap-md5. I have made this algorithm to calculate
    > response on challenge but value of this response is incorrect. I have read
    > that the response is calculated with session ID and secret and information
    > received from server (APN - authenticator), but how?.
    >
    > Anyone knows how can I calculate this properly?


    The first thing to check is whether the MD5 code you're using is
    correct. There's a set of test vectors in RFC 1321. If your MD5
    library isn't working, then you're not going to get CHAP working.

    Assuming your MD5 code is correct, the information you need is in RFC
    1994 section 4.1. In particular, if you were to receive a CHAP
    Challenge message that looks like this (after removing any framing and
    FCS in use):

    FF 03 C2 23 01 01 00 08 01 02 03 04

    That's a challenge value of "01 02 03 04" and an Identifier value of
    01. You need to compute a CHAP Response based on your shared secret.
    If that secret were "hello" (hex 68 65 6C 6C 6F), then you'd use this
    as input to MD5:

    01 68 65 6C 6C 6F 01 02 03 04

    That MD5 hash is:

    19 DB 7B EC D3 7C B9 DA 91 67 76 D0 23 78 09 B4

    So, the CHAP Response you'd send would look like this:

    FF 03 C2 23 02 01 00 14 19 DB 7B EC D3 7C B9 DA 91 67 76 D0 23 78 09 B4

    (You're aware that there's freely-available software that implements
    all of this, and that you don't need to code it up yourself, right?)

    --
    James Carlson 42.703N 71.076W

  3. Re: chap-md5 authentication [slight typo]

    In article ,
    James Carlson wrote:
    >"Arko" writes:
    >> I'm doing connection to apn by second layer gprs modem. I have implemented
    >> PPP protcol with LCP and CHAP. And in this chap authentication I have
    >> problem. Used by me is chap-md5. I have made this algorithm to calculate
    >> response on challenge but value of this response is incorrect. I have read
    >> that the response is calculated with session ID and secret and information
    >> received from server (APN - authenticator), but how?.
    >>
    >> Anyone knows how can I calculate this properly?

    >
    >The first thing to check is whether the MD5 code you're using is
    >correct. There's a set of test vectors in RFC 1321. If your MD5
    >library isn't working, then you're not going to get CHAP working.
    >
    >Assuming your MD5 code is correct, the information you need is in RFC
    >1994 section 4.1. In particular, if you were to receive a CHAP
    >Challenge message that looks like this (after removing any framing and
    >FCS in use):
    >
    > FF 03 C2 23 01 01 00 08 01 02 03 04
    >
    >That's a challenge value of "01 02 03 04" and an Identifier value of
    >01.


    Slight typo. The value field must be preceeded by a Value-Size byte,
    so for a challenge value of "01 02 03 04", the packet should really look
    like this:

    FF 03 C2 23 01 01 00 09 04 01 02 03 04

    (I adjusted the Length field and added the Value-Size byte)

    >You need to compute a CHAP Response based on your shared secret.
    >If that secret were "hello" (hex 68 65 6C 6C 6F), then you'd use this
    >as input to MD5:
    >
    > 01 68 65 6C 6C 6F 01 02 03 04
    >
    >That MD5 hash is:
    >
    > 19 DB 7B EC D3 7C B9 DA 91 67 76 D0 23 78 09 B4
    >
    >So, the CHAP Response you'd send would look like this:
    >
    > FF 03 C2 23 02 01 00 14 19 DB 7B EC D3 7C B9 DA 91 67 76 D0 23 78 09 B4


    Again, the Value-Size byte must added to make this packet correct:

    FF 03 C2 23 02 01 00 15 10 19 DB 7B EC D3 7C B9 DA 91 67 76 D0 23 78 09 B4

    >(You're aware that there's freely-available software that implements
    >all of this, and that you don't need to code it up yourself, right?)


    Awww, but where's the fun in that?!? ;^)

    =========== For PPP Protocol Analysis, check out PacketView Pro! ===========
    Patrick Klos Email: patrick@klos.com
    Klos Technologies, Inc. Web: http://www.klos.com/
    ================================================== ==========================

  4. Re: chap-md5 authentication [slight typo]

    pklos@osmium.mv.net (Patrick Klos) writes:
    > > FF 03 C2 23 01 01 00 08 01 02 03 04
    > >
    > >That's a challenge value of "01 02 03 04" and an Identifier value of
    > >01.

    >
    > Slight typo. The value field must be preceeded by a Value-Size byte,
    > so for a challenge value of "01 02 03 04", the packet should really look
    > like this:
    >
    > FF 03 C2 23 01 01 00 09 04 01 02 03 04


    Dang. That's exactly what I'd intended to use, and I had a senior
    moment.

    Thanks for correcting and reading that closely. ;-}

    > >(You're aware that there's freely-available software that implements
    > >all of this, and that you don't need to code it up yourself, right?)

    >
    > Awww, but where's the fun in that?!? ;^)


    Apparently, all the fun is in staring at some packet traces wondering
    why nothing is working right.

    --
    James Carlson 42.703N 71.076W

  5. Re: chap-md5 authentication [slight typo]

    James Carlson writes:

    >pklos@osmium.mv.net (Patrick Klos) writes:
    >> > FF 03 C2 23 01 01 00 08 01 02 03 04
    >> >
    >> >That's a challenge value of "01 02 03 04" and an Identifier value of
    >> >01.

    >>
    >> Slight typo. The value field must be preceeded by a Value-Size byte,
    >> so for a challenge value of "01 02 03 04", the packet should really look
    >> like this:
    >>
    >> FF 03 C2 23 01 01 00 09 04 01 02 03 04


    >Dang. That's exactly what I'd intended to use, and I had a senior
    >moment.


    >Thanks for correcting and reading that closely. ;-}


    >> >(You're aware that there's freely-available software that implements
    >> >all of this, and that you don't need to code it up yourself, right?)

    >>
    >> Awww, but where's the fun in that?!? ;^)


    >Apparently, all the fun is in staring at some packet traces wondering
    >why nothing is working right.


    Ah no, the fun is in putting out some system which impliments your
    particular variation of ppp to thousands of users and imagining them
    staring at packet traces wondering why nothing is working right.

    >--
    >James Carlson 42.703N 71.076W


  6. Re: chap-md5 authentication [slight typo]

    Thanks
    I've done and now it works fine.

    Best Regards
    Arko

    Użytkownik "Patrick Klos" napisał w wiadomości
    news:entifv$1del$1@pyrite.mv.net...
    > In article ,
    > James Carlson wrote:
    >>"Arko" writes:
    >>> I'm doing connection to apn by second layer gprs modem. I have
    >>> implemented
    >>> PPP protcol with LCP and CHAP. And in this chap authentication I have
    >>> problem. Used by me is chap-md5. I have made this algorithm to calculate
    >>> response on challenge but value of this response is incorrect. I have
    >>> read
    >>> that the response is calculated with session ID and secret and
    >>> information
    >>> received from server (APN - authenticator), but how?.
    >>>
    >>> Anyone knows how can I calculate this properly?

    >>
    >>The first thing to check is whether the MD5 code you're using is
    >>correct. There's a set of test vectors in RFC 1321. If your MD5
    >>library isn't working, then you're not going to get CHAP working.
    >>
    >>Assuming your MD5 code is correct, the information you need is in RFC
    >>1994 section 4.1. In particular, if you were to receive a CHAP
    >>Challenge message that looks like this (after removing any framing and
    >>FCS in use):
    >>
    >> FF 03 C2 23 01 01 00 08 01 02 03 04
    >>
    >>That's a challenge value of "01 02 03 04" and an Identifier value of
    >>01.

    >
    > Slight typo. The value field must be preceeded by a Value-Size byte,
    > so for a challenge value of "01 02 03 04", the packet should really look
    > like this:
    >
    > FF 03 C2 23 01 01 00 09 04 01 02 03 04
    >
    > (I adjusted the Length field and added the Value-Size byte)
    >
    >>You need to compute a CHAP Response based on your shared secret.
    >>If that secret were "hello" (hex 68 65 6C 6C 6F), then you'd use this
    >>as input to MD5:
    >>
    >> 01 68 65 6C 6C 6F 01 02 03 04
    >>
    >>That MD5 hash is:
    >>
    >> 19 DB 7B EC D3 7C B9 DA 91 67 76 D0 23 78 09 B4
    >>
    >>So, the CHAP Response you'd send would look like this:
    >>
    >> FF 03 C2 23 02 01 00 14 19 DB 7B EC D3 7C B9 DA 91 67 76 D0 23 78 09 B4

    >
    > Again, the Value-Size byte must added to make this packet correct:
    >
    > FF 03 C2 23 02 01 00 15 10 19 DB 7B EC D3 7C B9 DA 91 67 76 D0 23 78 09
    > B4
    >
    >>(You're aware that there's freely-available software that implements
    >>all of this, and that you don't need to code it up yourself, right?)

    >
    > Awww, but where's the fun in that?!? ;^)
    >
    > =========== For PPP Protocol Analysis, check out PacketView Pro!
    > ===========
    > Patrick Klos Email: patrick@klos.com
    > Klos Technologies, Inc. Web: http://www.klos.com/
    > ================================================== ==========================




+ Reply to Thread