Is need to change default encryption hash & server secret values ?
Dear Forum,
I want to know, what if we not change the default encryption_hash & server_secret values in multiotp.ini file for client/server architecture, we are running huge setup & its difficult to maintain both values, as we notice normal user on windows/linux system may able to read C:\Program Files (x86)\multiOTP\config\multiotp.ini file and see both values easily. However we have protected multiotp server to allow only certain ips of servers and no else directly access the server. But the issue is that clients systems running different applications and some web applications vulerable to read data from file. I have wireshark dump and see encrypted values changes automatically like (server challenge & server password). So i have a question if some knows the secret & encryption hash, either they able to hack the users tokens ? or they able to query the user information and get their secret seed/token, and now using them they able to access/login to client machine ? as per dump i see values changes so there is a confusion. If you know additional details i will provide.
Thanks
This discussion has been closed.
Comments
https://github.com/multiOTP/multiOTPCredentialProvider/releases/tag/5.3.0.3
https://github.com/multiOTP/multiotp/releases/tag/5.3.0.3
Please check it on your side and close this issue if it is resolved.
The server-side algorithm is implemented in the XmlServer() method
The client-side algorithm is implemented in the CheckUserTokenOnServer() method
Thanks a lot for your feedback. If you want to continue to support our work with a small donation, have a look at the Wiki homepage, we provide a link to our Paypal account.
Regards,
Andre
In order to have the new behavior concerning the call of the CheckUserTokenOnServer() method, you only need to upgrade the server to version 5.3.0.3, clients don't have to be upgraded for that (security parameters have always higher priority on the server than on the client).
The information exchanged between the client and the server are encrypted with the server_secret. Furthermore, some specific attributes are stored encrypted in the server backend. These encrypted specific_attributes for a user are only transferred to the client if :
1) The cache is enabled on the server side
2) The cache is enabled on the client side
3) The prefix+OTP of the user is correct
By default, the encrypted attributes defined on the server are : admin_password_hash, challenge, device_secret, ldap_hash_cache, ldap_server_password, scratch_passwords, seed_password, server_secret, sms_api_id, sms_otp, sms_password, sms_userkey, smtp_password , sql_password, token_seed, user_pin.
Let's just describe us clearly your current configuration (you can send us an email if you prefer (info -at- multiotp.net) :
a) Do you need cache (offline) authentication on the clients or not ? NO/YES
b) What is the value of the server_cache_level on the server ? 0/1
c) Which OS/distribution are you using for the server side ? Windows / Linux / VM provided by us / other
d) What is the multiOTP version on the server ? 5.x.x.x
e) What are you analysing with tcpdump ? Successful authentication / Refused authentication / other ?
f) What is the url of the server you have configured ? https://xxxx / http://xxxx
Best regards,
Andre
Thankyou once again for clarification, highly appreciated. Below are the answers of your questions. Also i saw the ChapChallenge, ChapPassword and ChapHash values encrypted on server.
a) Do you need cache (offline) authentication on the clients or not ? NO/YES
Ans: NO
b) What is the value of the server_cache_level on the server ? 0/1
Ans: 0
c) Which OS/distribution are you using for the server side ? Windows / Linux / VM provided by us / other ?
Ans: Linux
d) What is the multiOTP version on the server ? 5.x.x.x
Ans: 5.3.0.3
e) What are you analysing with tcpdump ? Successful authentication / Refused authentication / other ?
Ans: Successful authentication.
f) What is the url of the server you have configured ? https://xxxx / http://xxxx
Ans: https://x.x.x.x
Regards,
Muzammel