WARD.NU
Return to WWW.WARD.NU


Preliminary version. Use at your own risk. For more information, see download.


DynChap: Dynamic Chap authentication
DynChap provides an additional pseudo hardware token based authentication layer for virtual private networks.
Version 0.30 (20060924)
Written by Ward van Wanrooij (ward@ward.nu, http://www.ward.nu)

Copyright © 2004-2006, Ward van Wanrooij

Most recent version available at http://www.ward.nu/computer/dynchap.


Contents

Back to WWW.WARD.NU
Introduction
Screenshots
Features
Statement on security
Installation and usage
Download
Links
History


Introduction

DynChap authentication consists of three modules:

Together these modules can extend your VPN authentication with a new layer using a pseudo hardware token.
Typical usage scenario: You have the need to implement VPN access for your network users. Of couse, you want to implement this in a secure way on your already existent Linux firewall. So you compile the PoPToP PPTPD, upgrade your PPPD, install DKMS and the MPPE kernel module, tweak your configuration files and firewall rules. Because you enabled only the MSCHAP-V2 authentication protocol and MPPE stateless encryption, technically your network is unbreakable. However, you are still vulnerable because of your users. Examples: Clearly the user security vulnerability can never be completely resolved, however it can be minimized. DynChap authentication uses the user's mobile phone to generate a hash that needs to be entered along with the user's password in a custom connection dialogue. Upon connecting, the VPN verifies the authenticity of the hash. The hash is generated from a serial (by default 32 printable characters) stored in the J2ME based mobile phone and the current time; the VPN server compares this hash against the serial and current time, minus or plus a small deviation (by default 2 minutes). If the username, password and hash match, access is granted and the custom dialer is closed, the connection can now be controlled like an ordinary VPN connection.
By implementing DynChap you have raised the security from "something-you-know-or-have-saved" to "something-you-know" and "something-you-have", without expensive investments in proprietary software and hardware tokens.


Screenshots



Contents


Statement on security

No cryptographic analysis has been performed on the implementation of DynChap. I am not a cryptographer or mathematician. The hash is calculated from the MD5 of the serial (default 32 characters) and current date/time (12 characters). Four bytes are extracted from the hash (3rd, 7th, 11th and 15th byte) and converted to hexadecimal digits. The resulting string is the hash. The serial is stored once in the J2ME mobile phone and is inaccessible to other J2ME applications or end-user applications. Even if the serial is extracted from the hardware using e.g. a flash reader, the default password authentication still applies. Use with caution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Contents


Features

Contents


Installation and usage

First, make sure you have a working PPTPD/PoPToP configuration and you can connect from a Windows machine to this configuration successfully. In your Windows VPN connection, set "Security options" to "Advanced (custom settings)" and "Data encryption" to "Maximum strength encryption (disconnect if server declines)" and only allow the protocol "Microsoft CHAP Version 2 (MS-CHAP v2)". Create a user (e.g. tester) in /etc/ppp/chap-secrets and connects using this connection. If it does not work, fix this first before going further.
Server

Mobile phone Client for Windows PC Client for Apple OS X You can now start your DynChap authenticated VPN connection by starting DynChap Dialer, entering your username, password and the hash generated by DynChap Token.

Contents


Download

Warning: this DynChap package (version 0.30) is currently beta software. Test before using in production environments. Please inform me of any testing and evaluation results.
The DynChap package contains both binary and source versions of all three modules. Recompilation of the pppd might be necessary and is recommended to account for changes in different PPPD versions. Recompilation of the dialer for Windows requires Borland Delphi version 4 or greater. Recompilation of the dialer for OS X requires XCode, OS X SDK and ppp source package from Apple. Recompilation of the midlet requires the Sun J2ME Wireless Toolkit 2.1. The DynChap package contains:

drwxr-xr-x ward/ward         0 2004-12-04 21:42:34 dynchap-0.30/
drwxr-xr-x ward/ward         0 2006-09-24 21:19:12 dynchap-0.30/bin/
drwxr-xr-x ward/ward         0 2004-12-04 21:42:33 dynchap-0.30/bin/dialer/
-rwxr-xr-x ward/ward    336384 2004-12-04 21:42:33 dynchap-0.30/bin/dialer/dynchapd.exe
-rw-r--r-- ward/ward        91 2004-12-04 21:42:33 dynchap-0.30/bin/dialer/dynchapd.ini
drwxr-xr-x ward/ward         0 2006-09-24 21:41:49 dynchap-0.30/bin/dialer-osx/
drwxr-xr-x ward/ward         0 2006-09-24 21:41:49 dynchap-0.30/bin/dialer-osx/DynChap.ppp/
drwxr-xr-x ward/ward         0 2006-09-24 21:41:49 dynchap-0.30/bin/dialer-osx/DynChap.ppp/Contents/
drwxr-xr-x ward/ward         0 2006-09-24 21:41:49 dynchap-0.30/bin/dialer-osx/DynChap.ppp/Contents/MacOS/
-rwxr-xr-x ward/ward     38468 2006-09-24 21:41:49 dynchap-0.30/bin/dialer-osx/DynChap.ppp/Contents/MacOS/DynChap
drwxr-xr-x ward/ward         0 2006-09-24 21:41:49 dynchap-0.30/bin/dialer-osx/DynChap.ppp/Contents/Resources/
-rw-r--r-- ward/ward     11467 2006-09-24 21:41:49 dynchap-0.30/bin/dialer-osx/DynChap.ppp/Contents/Resources/DynChap.icns
-rw-r--r-- ward/ward       833 2006-09-24 21:41:49 dynchap-0.30/bin/dialer-osx/DynChap.ppp/Info.plist
drwxr-xr-x ward/ward         0 2004-12-04 21:42:33 dynchap-0.30/bin/pppd/
-rw-r--r-- ward/ward     14105 2006-09-24 23:47:40 dynchap-0.30/bin/pppd/dynchap.so
drwxr-xr-x ward/ward         0 2004-12-04 21:42:34 dynchap-0.30/bin/token/
-rw-r--r-- ward/ward       288 2004-12-04 21:42:34 dynchap-0.30/bin/token/DynChap.jad
-rw-r--r-- ward/ward     12721 2004-12-04 21:42:34 dynchap-0.30/bin/token/DynChap.jar
drwxr-xr-x ward/ward         0 2006-09-24 23:50:30 dynchap-0.30/doc/
-rw-r--r-- ward/ward      1953 2004-12-04 21:42:34 dynchap-0.30/doc/dynchap.jpg
-rw-r--r-- ward/ward     14181 2004-12-04 21:42:34 dynchap-0.30/doc/dynchapscreenshot1.jpg
-rw-r--r-- ward/ward      4983 2004-12-04 21:42:34 dynchap-0.30/doc/dynchapscreenshot2.jpg
-rw-r--r-- ward/ward     60293 2004-12-04 21:42:34 dynchap-0.30/doc/dynchapscreenshot3.jpg
-rw-r--r-- ward/wheel    26747 2006-09-24 23:39:47 dynchap-0.30/doc/dynchapscreenshot4.jpg
-rw-r--r-- ward/ward     17359 2006-09-24 23:44:33 dynchap-0.30/doc/index.html
-rw-r--r-- ward/ward       347 2006-09-24 23:50:30 dynchap-0.30/doc/README.TXT
drwxr-xr-x ward/ward         0 2006-09-23 17:18:38 dynchap-0.30/src/
drwxr-xr-x ward/ward         0 2004-12-04 21:42:34 dynchap-0.30/src/dialer/
-rw-r--r-- ward/ward       349 2004-12-04 21:42:34 dynchap-0.30/src/dialer/dynchapd.cfg
-rw-r--r-- ward/ward      1304 2004-12-04 21:42:34 dynchap-0.30/src/dialer/dynchapd.dof
-rw-r--r-- ward/ward       236 2004-12-04 21:42:34 dynchap-0.30/src/dialer/dynchapd.dpr
-rw-r--r-- ward/ward        91 2004-12-04 21:42:34 dynchap-0.30/src/dialer/dynchapd.ini
-rw-r--r-- ward/ward      1220 2004-12-04 21:42:34 dynchap-0.30/src/dialer/dynchapd.res
-rw-r--r-- ward/ward       114 2004-12-04 21:42:34 dynchap-0.30/src/dialer/LanMan.inc
-rw-r--r-- ward/ward      9829 2004-12-04 21:42:34 dynchap-0.30/src/dialer/LmCons.pas
-rw-r--r-- ward/ward     49896 2004-12-04 21:42:34 dynchap-0.30/src/dialer/LmErr.pas
-rw-r--r-- ward/ward       395 2004-12-04 21:42:34 dynchap-0.30/src/dialer/Ras.inc
-rw-r--r-- ward/ward     75489 2004-12-04 21:42:34 dynchap-0.30/src/dialer/Ras.pas
-rw-r--r-- ward/ward     32816 2004-12-04 21:42:34 dynchap-0.30/src/dialer/RasError.pas
-rw-r--r-- ward/ward      1078 2004-12-04 21:42:34 dynchap-0.30/src/dialer/REMTEACC.ICO
-rw-r--r-- ward/ward      2649 2004-12-04 21:42:34 dynchap-0.30/src/dialer/udcd1.dfm
-rw-r--r-- ward/ward      8489 2004-12-04 21:42:34 dynchap-0.30/src/dialer/udcd1.pas
drwxr-xr-x ward/ward         0 2006-09-24 23:49:35 dynchap-0.30/src/dialer-osx/
-rw-r--r-- ward/ward      4441 2006-09-24 21:24:47 dynchap-0.30/src/dialer-osx/dynchap.c
-rw-r--r-- ward/ward     11467 2006-09-24 15:20:51 dynchap-0.30/src/dialer-osx/DynChap.icns
-rw-r--r-- ward/ward       833 2006-09-24 21:00:55 dynchap-0.30/src/dialer-osx/Info.plist
-rw-r--r-- ward/ward       926 2006-09-24 21:39:24 dynchap-0.30/src/dialer-osx/Makefile
drwxr-xr-x ward/ward         0 2006-09-24 23:48:24 dynchap-0.30/src/pppd/
-rw-r--r-- ward/wheel     5020 2006-09-24 23:29:36 dynchap-0.30/src/pppd/dynchap.c
-rw-r--r-- ward/ward       156 2006-09-24 20:36:42 dynchap-0.30/src/pppd/Makefile
drwxr-xr-x ward/ward         0 2004-12-04 21:42:34 dynchap-0.30/src/token/
drwxr-xr-x ward/ward         0 2004-12-04 21:49:38 dynchap-0.30/src/token/DynChap/
drwxr-xr-x ward/ward         0 2004-12-04 21:53:15 dynchap-0.30/src/token/DynChap/bin/
-rw-r--r-- ward/ward       325 2004-12-04 21:53:09 dynchap-0.30/src/token/DynChap/bin/DynChap.jad
-rw-r--r-- ward/ward     13214 2004-12-04 21:52:16 dynchap-0.30/src/token/DynChap/bin/DynChap.jar
-rw-r--r-- ward/ward       217 2004-12-04 21:52:16 dynchap-0.30/src/token/DynChap/bin/MANIFEST.MF
drwxr-xr-x ward/ward         0 2004-12-04 21:42:34 dynchap-0.30/src/token/DynChap/classes/
-rw-r--r-- ward/ward       236 2004-10-23 21:29:31 dynchap-0.30/src/token/DynChap/DynChap.pro
drwxr-xr-x ward/ward         0 2004-12-04 21:42:34 dynchap-0.30/src/token/DynChap/lib/
-rw-r--r-- ward/ward        16 2004-12-04 21:48:31 dynchap-0.30/src/token/DynChap/project.properties
drwxr-xr-x ward/ward         0 2004-12-04 21:42:34 dynchap-0.30/src/token/DynChap/res/
-rw-r--r-- ward/ward       451 2004-12-04 21:42:34 dynchap-0.30/src/token/DynChap/res/DynChap.png
drwxr-xr-x ward/ward         0 2004-12-04 21:53:32 dynchap-0.30/src/token/DynChap/src/
-rw-r--r-- ward/ward     12776 2004-12-04 21:48:15 dynchap-0.30/src/token/DynChap/src/DynChap.java
drwxr-xr-x ward/ward         0 2004-12-04 21:42:35 dynchap-0.30/src/token/DynChap/src/fi/
drwxr-xr-x ward/ward         0 2004-12-04 21:42:35 dynchap-0.30/src/token/DynChap/src/fi/iki/
drwxr-xr-x ward/ward         0 2004-12-04 21:42:35 dynchap-0.30/src/token/DynChap/src/fi/iki/santtu/
drwxr-xr-x ward/ward         0 2004-12-04 21:42:35 dynchap-0.30/src/token/DynChap/src/fi/iki/santtu/md5/
-rw-r--r-- ward/ward     14304 2004-12-04 21:42:35 dynchap-0.30/src/token/DynChap/src/fi/iki/santtu/md5/MD5.java
drwxr-xr-x ward/ward         0 2004-12-04 21:42:35 dynchap-0.30/src/token/DynChap/tmpclasses/
drwxr-xr-x ward/ward         0 2004-12-04 21:42:35 dynchap-0.30/src/token/DynChap/tmplib/

Download the DynChap 0.30 package in a .tar.gz archive (see history).

Contents


Links

Assorted relevant external links.

Contents


History

24-09-2006 Release 0.30. Integrated stripdomain patch. Default to newer MD5 functions. Added Apple OS X client plugin. Server PPPD plugin version 0.30, Apple OS X client plugin version 0.30, Java mobile token version 0.22, Windows client dialer version 0.20
16-09-2006 Release a patch for pppd when using a PoPToP/pppd server and an Apple OS X 10.4.6/7/8 client. If your are unable to connect using the OS X client and the dialer keeps hanging at 'Authenticating...' then the relevant CHAP authentication messages are lost and this patch serves as a workaround to triple send all CHAP related state messages. Note that this problem is not limited to pptp VPN's using DynChap, but that this is a general problem in the combination of ppp 2.4.3 and Mac OS X 10.4.6/7/8.
21-03-2006 Released a patch to support stripping the Windows domain name. You should use this if your Windows automatically sends the domainname.
04-12-2004 Release 0.22. Bugfix for Nokia 6XXX running out of storage space, errorhandling improved. Token component is version 0.22, dialer and plugin are version 0.2.
23-11-2004 Release 0.2. Bugfix for Nokia phones without timezone. Textual representation of hash for smaller displays. XOR'ing the serial before writing and after reading.
30-10-2004 Release 0.1
23-10-2004 Source 0.1 ready

Contents