No implement crypto binding #1
Comments
|
Certificate hash is verifed since 1aa9a51. For |
|
Hi @sorz, To my understanding, the Higher Layer Authentication Key (HLAK) can not be snooped/derived from the authentication data flow (as the keys are not transferred over the wire). They can only be obtained from the process that created/maintains them (thus ppp daemon; or possibly in linux from the ppp_mppe kernel driver). The sstp-client project dealt with the same difficulty, and implemented a solution by creating a special ppp plugin (called sstp-plugin), that snoops outgoing ppp packets for (CHAP) authentication success, if then the mppe send/recv keys are set by ppp it will expose them to the sstp-client program (by means of a unix socket), allowing to calculate the crypto bindings. I made an implementation for sstp-server using that same technique (reusing their ppp plugin, and adding a unix socket to listen on). Thus it adds crypto binding support for both SHA-1 and SHA-256 operations, for MS-CHAPv2 and EAP-TLS (using MPPE Master{Send,Recv}Key). Normal EAP uses Client Master Session Key and Server Master Session Key, which are not captured by the sstp-plugin. The implementation has been tested with the linux sstp-client, and microsoft sstp clients (w8 and w10). Let me know if you are interested... |
|
Thanks! You are right, these keys must not be snoopsable otherwise the crypto binding is meaningless. |
Implements the Crypto Binding Compound MAC (CMAC) verification, when the Crypto Binding Attribute is present in the SSTP Call Connected message. The PPP (sub)process passes the MPPE send/receive keys when CHAP authentication succeeds. When received by sstp-server, it installs them as the Higher Layer Key (HLAK). In server mode the HLAK is obtained by concatenating the master receive key with the send key. Ensure the key is 32 bytes long (should be the case for MPPE) - zero-padded if needed. The Crypto Binding CMAC is (re)calculated on server side and compared with the value present in the Crypto Binding Attribute. In case they do not match the connection is aborted. CMAC uses HMAC using the Crypto Binding Hash algorithm negotiated (SHA1 or SHA256). Input for HMAC is the complete SSTP Call Connected message, with CMAC field in Crypto Binding Attribute zeroed out. The key for the HMAC operation is obtained using the PRF algorithm based on PRF+ from IKEv2, called the Compound Mac Key (CMK). CMK is obtained from the first iteration of PRF using the same HMAC cryptographic operation. Input for CMK is the CMK seed 'SSTP inner method derived CMK' concatenated with the little endian formatted length of the cryptographic hash used and the iteration number, whereas the key is HLAK. In order to support sstp-server without sstp-pppd-plugin.so, CMAC is not verified when plugin is not available. Resolves sorz#1 Signed-off-by: Tijs Van Buggenhout <tijs.van.buggenhout@axsguard.com>
Implements the Crypto Binding Compound MAC (CMAC) verification, when the Crypto Binding Attribute is present in the SSTP Call Connected message. The PPP (sub)process passes the MPPE send/receive keys when CHAP authentication succeeds. When received by sstp-server, it installs them as the Higher Layer Key (HLAK). In server mode the HLAK is obtained by concatenating the master receive key with the send key. Ensure the key is 32 bytes long (should be the case for MPPE) - zero-padded if needed. The Crypto Binding CMAC is (re)calculated on server side and compared with the value present in the Crypto Binding Attribute. In case they do not match the connection is aborted. CMAC uses HMAC using the Crypto Binding Hash algorithm negotiated (SHA1 or SHA256). Input for HMAC is the complete SSTP Call Connected message, with CMAC field in Crypto Binding Attribute zeroed out. The key for the HMAC operation is obtained using the PRF algorithm based on PRF+ from IKEv2, called the Compound Mac Key (CMK). CMK is obtained from the first iteration of PRF using the same HMAC cryptographic operation. Input for CMK is the CMK seed 'SSTP inner method derived CMK' concatenated with the little endian formatted length of the cryptographic hash used and the iteration number, whereas the key is HLAK. In order to support sstp-server without sstp-pppd-plugin.so, CMAC is not verified when plugin is not available. Resolves sorz#1 Signed-off-by: Tijs Van Buggenhout <tijs.van.buggenhout@axsguard.com>
Implements the Crypto Binding Compound MAC (CMAC) verification, when the Crypto Binding Attribute is present in the SSTP Call Connected message. The PPP (sub)process passes the MPPE send/receive keys when CHAP authentication succeeds. When received by sstp-server, it installs them as the Higher Layer Key (HLAK). In server mode the HLAK is obtained by concatenating the master receive key with the send key. Ensure the key is 32 bytes long (should be the case for MPPE) - zero-padded if needed. The Crypto Binding CMAC is (re)calculated on server side and compared with the value present in the Crypto Binding Attribute. In case they do not match the connection is aborted. CMAC uses HMAC using the Crypto Binding Hash algorithm negotiated (SHA1 or SHA256). Input for HMAC is the complete SSTP Call Connected message, with CMAC field in Crypto Binding Attribute zeroed out. The key for the HMAC operation is obtained using the PRF algorithm based on PRF+ from IKEv2, called the Compound Mac Key (CMK). CMK is obtained from the first iteration of PRF using the same HMAC cryptographic operation. Input for CMK is the CMK seed 'SSTP inner method derived CMK' concatenated with the little endian formatted length of the cryptographic hash used and the iteration number, whereas the key is HLAK. In order to support sstp-server without sstp-pppd-plugin.so, CMAC is not verified when plugin is not available. Resolves sorz#1 Signed-off-by: Tijs Van Buggenhout <tijs.van.buggenhout@axsguard.com>
Must verify
certHashandmacHashonsstpMsgCallConnectedReceived()to prevent MITM attack.The text was updated successfully, but these errors were encountered: