EasyCwmp - easycwmp
View Issue Details
0000076easycwmp[All Projects] Questionpublic2015-08-24 10:372015-10-05 14:39
feckert 
mohamed.kallel 
nonetrivialN/A
resolvedno change required 
0000076: NONCE_PRIV_KEY
Hello,

could you please explain why the value NONCE_PRIV_KEY in digestauth.c is not randomized during runtime with /dev/random?

Kind regards Flo
No tags attached.
Issue History
2015-08-24 10:37feckertNew Issue
2015-08-26 10:16mohamed.kallelNote Added: 0000271
2015-10-01 19:02mohamed.kallelNote Added: 0000284
2015-10-01 19:03mohamed.kallelStatusnew => resolved
2015-10-01 19:03mohamed.kallelResolutionopen => no change required
2015-10-01 19:03mohamed.kallelAssigned To => mohamed.kallel
2015-10-02 10:27mohamed.kallelNote Added: 0000285
2015-10-02 10:28mohamed.kallelStatusresolved => new
2015-10-02 11:51mohamed.kallelNote Added: 0000286
2015-10-02 11:53mohamed.kallelNote Edited: 0000286bug_revision_view_page.php?bugnote_id=286#r206
2015-10-02 12:07mohamed.kallelNote Added: 0000287
2015-10-02 12:08mohamed.kallelNote Edited: 0000287bug_revision_view_page.php?bugnote_id=287#r208
2015-10-05 14:39mohamed.kallelNote Added: 0000292
2015-10-05 14:39mohamed.kallelStatusnew => resolved

Notes
(0000271)
mohamed.kallel   
2015-08-26 10:16   
The digest source code was originally imported from libmicrohttpd open source (as indicated in the top of the digestauth.c). we did not spend much time in order to improve it. Please feel free to make any suggesstion (patch) to generate randomly the NONCE_PRIV_KEY.
(0000284)
mohamed.kallel   
2015-10-01 19:02   
The NONCE_PRIV_KEY is not the real nonce sent in the digest authentication packet. this constant string is used as constant to generate a random nonce by the function

static void calculate_nonce(uint32_t nonce_time, const char *method,
        const char *rnd, unsigned int rnd_size, const char *uri,
        const char *realm, char *nonce)

So in the reality the nonce in the packet is random and it's not constant. You can check that in the traffic.

So nothing to do for this issue
(0000285)
mohamed.kallel   
2015-10-02 10:27   
From feckert (by email)

That is not completly right, its maybe unrealisitc but if some one
knows the NONCE_PRIV_KEY (get source code and time )! See explanation
in source

/*
         * Second level vetting for the nonce validity
         * if the timestamp attached to the nonce is valid
         * and possibly fabricated (in case of an attack)
         * the attacker must also know the random seed to be
         * able to generate a "sane" nonce, which if he does
         * not, the nonce fabrication process going to be
         * very hard to achieve.
         */

I think it will be more save 99,99% if we can get the NONCE_PRIV_KEY
from /dev/urandom (unblocking read)) or /dev/random (blocking read).
If the service starts he will look in this device and get a random
number only valid for this server session run. And if the service will
restart a new one will be read from the decvice. Because it is a
service we should use unblocking read.

Wenn the service starts we will open urandom and get fill NONCE_PRIV_KEY

Pseode c code
--------
int dev_random= open("/dev/random", O_RDONLY);
char nonce_priv_key[28];
size_t length = 0;
while (randomDataLen < sizeof nonce_priv_key)
{
    ssize_t result = read( dev_random, nonce_priv_key + length,
(sizeof nonce_priv_key) - length);
    if (result < 0)
    {
        // error, unable to read /dev/random
    }
    length += result;
}
close(dev_random);
(0000286)
mohamed.kallel   
2015-10-02 11:51   
(edited on: 2015-10-02 11:53)
Thanks feckert for your reply!
May be a Connection request does not need a such seurity level especially if your device is configured with a firewall that allow only CR coming from ACS. I think a random nonce based on time is sufficient.

But your answer and remark are interesting and good!
I will try to add your patch suggestion in a future delivery (inchallah).

(0000287)
mohamed.kallel   
2015-10-02 12:07   
(edited on: 2015-10-02 12:08)
The "/dev/random" is better than "/dev/urandom" for the security purpose, but since the "/dev/random" is a blocking read then It's better to use "/dev/urandom".

(0000292)
mohamed.kallel   
2015-10-05 14:39   
fixed in EasyCwmp-1.1.7