This article comprises the DHX User Authentication Module 1.0 Read Me.

DHX User Authentication Module 1.0 Read Me

CONTENTS

Introduction

Requirements for Running the DHX UAM 1.0

Installing the DHX UAM 1.0

Using the DHX UAM 1.0 Algorithms used

Known Incompatibilities and Limitations

Introduction

The DHX (Diffie-Hellman Exchange) UAM provides a relativly secure way to transport cleartext passwords of up to 64 characters to the server for further processing.

Requirements for Running the DHX UAM 1.0

AppleShare Client: 3.8.1 or later

Installing the DHX UAM 1.0

The UAM should be placed in a folder titled "AppleShare Folder" within the extensions folder on the current System Folder. No reboot is needed, though you must close the Chooser & Network Browser and reopen them before the new UAM will be noticed.

Using the DHX UAM 1.0 If the server you are connecting to, supports the DHX UAM, the AppleShare Client will put up a dialog allwing you to choose "Encrypted Password" as a login mechanism. Select this UAM and fill in your password and username just as you would for the standard AppleShare login dialog.

Algorithms Used

password is padded with nulls to 64 bytes

username is a pstring, padded to even byte length (odd number of chars)

ServerSig is obtained from the AFPSrvrInfo reply from the server.

first message from client to server:
| login (2 bytes)  | AFP Vers | UAMName "DHCAST128" | Username (padded) | Ma (16 bytes) |

reply (server to client)
| ID (2 bytes) | Mb (16 bytes) | (16 byte nonce, ServerSig)K |

login continue (client to server)
| logincontinue (2 bytes) | ID (2 bytes) | (16 byte nonce + 1, password)K |

reply (server to client)
pass / fail

(data)K = Encrypt data using CAST 128 CBC with key = K

The Key is generated with a Diffie-Hellman key exchange as follows:

Ma - first message = g^Ra mod p  (sent by the Client to the Server)

Mb - second message = g^Rb mod p (sent by the Server to the Client)

K - Key = Mb^Ra mod p = Ma^Rb mod p

We are using CAST 128, (the implementation from SSLeay) in CBC mode with the IV in the second message being the bytestring "CJalbert" and the IV in the third message being the bytestring "LWallace".

Known Incompatibilities and Limitations

• There seems to be a problem between Norton Antivirus and the DHX UAM. The client Mac will crash with an illegal instruction when the user types into the username or password fields. Workaround is to turn off Norton Antivirus.
• For debugging purposes, there is a debug break before each Alert put up by the UAM, just type g and return in MacsBug. If an alert does not come up, please report it as a bug.