Aug 102011

Long time no blog…..

Recently I checked some two factor authentication providers. The most popular, which got hacked lately is RSA. Other competitors are Vasco, Aladdin (now Safenet), ActiveIdentity and Kobil. I thought I could write one myself when there was nothing on TV.

There are two different approaches on solving the “generate new password” problem: Timebased vs. Eventbased (and mixed mode). A timebased system generates a new password based on the current time. RSA for example will generate a new password every 30 or 60 seconds. Eventbased systems, like Kobil, generate a new password whenever a user needs one (on demand). Both systems have pros and cons, and maybe that is the reason why there are mixed mode systems, too. They generate passwords based on events and time. I will not cover these in detail.

Whether you use time- or eventbased systems, there is always a “seed”, a given start value which basicly is the secret/password. In most systems this seed will get hashed X times, where X is the time or event number. The X-times hashed seed is the password. As there is no way of reversing a hash, you cannot hack a token. You could brute force a hash, but you would need a lot of time, because you need the EXACT hash (not just a collision) and this is not very likely if you use modern hashing algorithms like SHA-512.

The formula might look like this on a timebased system:

Interval: 60 seconds
(Time from 01.01.1970 until now) / Intervall = X
CurrentPassword=SHA512(seed) // do this "X" times

If you want to speed things up, you could use this, too:

Interval: 60 seconds
(Time from 01.01.1970 until now) / Intervall = X

So all you need is a device to compute the algorithm with a given seed. On a smartphone for example you could easily do this in software (called a softtoken, because you have no physical hardware).
So on one side, you need the Radius-Server, a device to store the passwords and deny or allow acces to a device. On the other side you need a Radius-Client, asking the Server for permission with a given Username/Password combination. In my case I have a Sonicwall SSL VPN gateway, and some Cisco and Juniper devices (Radius-Clients). Most of the networking hardware uses Radius or TACACS+ for remote authentication (vs. a local database). As a Radius-Server I chose Linux and FreeRadius, because both are free and feature-rich.

The /etc/freeradius/users file looks like this:
alice Cleartext-Password := “secretpassword”

Abstract login:
Smartphone computing Hash(=password) -> Login on Cisco device -> Cisco device asks Radius-Server -> Radius-Server checks local DB and deny/accepts request

If you could use existing hardware like Smartphones, Linux, FreeRadius and SHA-512, how much effort do you need to set up your own Tokensystem?
What would you need? A piece of software to generate the Token based on the seed on the server and client. A scheduled job to update the FreeRadius users file with the new password. Thats it.

It took around 3 hours until I got the software running in Linux and Android, 3 hours for the FreeRadius configuration and 2 hours of “less productive” designing and debugging. Now I got my two factor authentication up and running.