Both server and client generate these keys using “magic” strings and the HMAC key derivation function, HKDF. RouterOS also uses separate send and receive keys for both HMAC and AES, labeled below as AES s, AES r, HMAC s, HMAC r. MikroTik employs a MAC-then-encrypt strategy, leveraging AES-CBC as the encryption algorithm and HMAC as the authentication algorithm. The server and client can encrypt data once confirming an equivalent shared secret. The server validates the username and password by similarly calculating Cc and checking against the client provided value. Performs a final elliptic curve scalar multiplication using the server’s private key to yield z = Ts(Wc + h.v).Computes plot(Wc x) on the elliptic curve, generating Wc.The server computes the shared secret point, z, as follows:.The client completes this handshake step by transmitting Cc. Computes a client-side confirmation code, Cc = SHA2(h + z x).Calculates the shared point, z, using elliptic curve multiplication with the previously calculated u point to find z = u(Tc + h.v).Performs scalar addition and multiplication to compute Tc + h.v p.Performs point subtraction to disentangle the password, calculating u = Ws - e. Computes the server public point Ws using plot(Ws x).Calculates pseudo-random point e = plot(SHA2(v x)), as the server computed in the preceding step.Plots v as the server did during registration and retrieves the x coordinate, v x.Calculates v's private key, vp = SHA2(salt | SHA2(username | “:” | password)).The client, now knowing the user’s salt and the server’s public key, can compute the shared secret and confirmation code as follows:.The server similarly calculates and transmits the parity of its public point’s y coordinate, Ws y.Finally, the server responds with Ws x and salt The server then generates an ephemeral private key, Ts, and computes a password-entangled public key point, Ws = ECDH(Ts) + plot(SHA2(v x)). The server retrieves the associated client’s salt and v x.Since each elliptic curve x coordinate has two y solutions, (x, y) and (x, -y), the client also transmits the parity of the generated point’s y coordinate, Wc y, to ensure the server calculates the identical point and not its negation.The client sends an authentication request including username and the point’s x coordinate, Wc x, as its ephemeral public key The client generates an ephemeral private key, Tc, and computes its ephemeral public key point Wc = ECDH(Tc).The router stores username, salt, and v’s x coordinate, v x, in memory in /rw/store/user.dat.The router generates a 16-byte user salt and calculates the user’s password verifier, v, according to the equation v = ECDH(SHA2(salt | SHA2(username | “:” | password))).A user registers with the system, providing a username and password.This protocol, which is much less prevalent, is defined by the following sequence: User registration Rather, RouterOS employs elliptic curve SRP (EC-SRP), specifically EC-SRP5. However, MikroTik does not implement this SRP protocol. The SRP specification dates back over two decades and mainstream use gained traction in the recent past, highlighted by its use in OpenSSL. Knowledge of the correct password is required to compute the shared secret, so identical secrets indicate successful authentication. SRP is a type of Password Authentication Key Exchange protocol which incorporates the password within key exchange calculations. MikroTik's new authentication process uses a variation of Secure Remote Password (SRP). Margin Research is excited to illuminate the authentication procedure and offer Python proof of concept (POC) implementations for Winbox and MAC Telnet authentication. MikroTik has since failed to detail the new authentication procedure despite user requests for assistance. While enhancing router security, this came as a blow for researchers, network administrators, and tinkerers who used customized tooling with MikroTik proprietary protocols such as MAC Telnet and Winbox. In August 2019, MikroTik issued a RouterOS software update to version 6.45.1 which removed plaintext password storage on all routers that upgraded to the new firmware. Februby Ian Dupont and Joe Lothan Posted in:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |