MultiOTP PIN / SEED encryption with different back-end

Greetings,

I have two servers, one old that I would like to replace with new one. Both of them are CentOS, multiOTP + FreeRadius.

Old (current) configuration. CentOS 6.x, PHP from CentOS repository, FreeRadius 2 from CentOS repository, multiOTP v 4.2.4.2 with "files" back-end.

New configuration: CentOS 7 Linux with PHP installed from CentOS repository, MediaDB server installed from CentOS repository and FreeRadius 3.x from CentOS repository. Both - multiOTP and FreeRadius are using MariaDB as backend, two different schemes. But FreeRadius is out of scope for this question. MultiOTP version is 4.3.2.6 - current stable. Everything is working fine, I am able to create user, authenticate, etc, but I have security concern here.

On old server with multiOTP backend - file. Create user and then look into user.db file created by multiOTP I can see SEED and PIN in encoded form, e.g.
/opt/multiotp/multiotp.php -display-log -debug -create -prefix-pin test-motp TOTP ad2eb4329f1d2zz940db5ttce6be58274ee6b228 1010 6 30
...
token_seed:=VDk0MDtnNxQ4NAk4PHYuTTFp1YhZPXYraQhzde1yAT1xQjh7MSkkKQ==
user_pin:=fCMwJD==

On new server with backend "mysql" (and backend_type_validated to 1) in multiotp.ini and run same command to create user I can see new records in database in multiotp_users table, but token_seed, user_pin are stored in plan text
token_seed - ad2eb4329f1d2zz940db5ttce6be58274ee6b228 
user_pin - 1010
that is not that secure as files back-end version. Is there anything I am missing in configuration that can change behavior and force multiOTP store information in MariaDB table also in "encrypted" form as in files or behavior of version 4.3.2.6 is different from 4.2.4.2. I have compared multiotp.ini from both servers and cannot see a lot of difference here. Sure this is some new settings appeared in new version's ini file and this is mysql connection parameters - but that is expected. 
Can anyone point me into documentation or give a hint how can I force multiOTP 4.3.2.6 with mysql back-end store account's PIN and SEED in non-plain-text form in database.

TIA, Andre.

Comments

  • Hello,
    In multiotp.ini file, the attributes_to_encrypt= must be empty in order to encrypt the default sensitive attributes, which are the following:
    • admin_password_hash
    • challenge
    • device_secret
    • ldap_hash_cache
    • ldap_server_password
    • scratch_passwords
    • seed_password
    • server_secret
    • sms_api_id
    • sms_otp
    • sms_password
    • sms_userkey
    • smtp_password
    • sql_password
    • token_seed
    • user_pin

    If you want to customize the list of attributes to encrypt, you can type the list of your attributes surrounded by stars like this:

    attributes_to_encrypt=*token_seed*user_pin*

    As soon as a record is updated, the selected attributes are encrypted.

    Thanks to keep us in touch.

    Regards,

    Andre

  • Greetings,

    it is exactly what I was looking for. Thank you a lot for detailed explanation. For multiOTP 4.3.2.6 default installation include this parameter with ** value, e.g. "attributes_to_encrypt=**" when for 4.2.4.2 it was empty "attributes_to_encrypt=", so that is explains why new default installation has those data in MariaDB in plain text format. 
    One more notice, that probably will be helpful to anyone who runs into same situation. I already had couple records in MariaDB and when I have adjusted multiotp.ini and set "attributes_to_encrypt=" new users still appeared in database with plain-text encoding attributes, so I have to re-initialize database ( run "multiotp.php -initialize-backend " ) and after that new records in database appearing with encoded attributes.

    Thanks again for your help and great software.

    WBR, Andre.
  • edited August 2016
    Hi andre,

    The value ** is set when launching the "check.multiotp.class.php" file. This is for debugging purpose.

    $multiotp->_config_data['attributes_to_encrypt'] = '**';  // For test purposes only

    // Write the configuration information in the configuration file
    $multiotp->WriteConfigData();

    At the end of the file, it should be set back to empty again. We will check that carefully for the next version 5.x which will be published soon.

    Best regards,

    Andre
  • Please note that as soon as you have changed the attributes to encrypt, the selected attributes of each record will be encrypted the next time the record is touched, you don't have to do anything else.

    Regards,

    Andre
This discussion has been closed.