Radius 中 与Response Authernticator 与 Message-Authenticator的计算
/* String RequestStr3 = @"01 00 00 9E EB B2 E8 D9 1E 52 10 03 FB E1 52 39 27 58 93 F0 01 0E 33 34 38 30 62 33 34 32 61 30 61 33 02 12 56 BE 23 D1 61 13 7F E5 95 21 CB 44 B9 32 D4 49 04 06 C0 A8 08 05 20 07 68 65 6C 6C 6F 1E 1A 41 30 2D 36 33 2D 39 31 2D 38 42 2D 30 39 2D 35 30 3A 48 44 41 50 30 35 1F 13 33 34 2D 38 30 2D 42 33 2D 34 32 2D 41 30 2D 41 33 3D 06 00 00 00 13 4D 18 43 4F 4E 4E 45 43 54 20 31 31 4D 62 70 73 20 38 30 32 2E 31 31 62 50 12 B8 4B 87 5E 53 77 2C FA 90 16 E3 B5 5F 4E CA FD "; */ var requestStr = RequestStr3; var responseStr = @"02-00-00-2C-57-CE-42-DB-EB-9F-DA-5D-B3-E5-DB-D0-9E-75-92-BA-1B-06-00-98-96-7F-50-12-D1-B1-36-29-F5-7D-1C-65-CB-BC-DA-57-DE-49-E7-3C"; var responseArr = responseStr.Split("-".ToCharArray(), StringSplitOptions.RemoveEmptyEntries); var responseBytes = new List<byte>(); foreach (var item in responseArr) { responseBytes.Add(byte.Parse(item, NumberStyles.HexNumber)); } var responsePaket = nRadiusPaket.Parser(responseBytes.ToArray()); var request = GetRequestPaket(); var autherRaw = new List<byte>(); autherRaw.Add(2); autherRaw.Add(0); autherRaw.AddRange(new byte[] { 00, 0x2C }); autherRaw.AddRange(request.Authenticator); foreach (var a in responsePaket.Attributes) { autherRaw.AddRange(a.Paket); } autherRaw.AddRange(Encoding.ASCII.GetBytes("1111122222")); var md5 = new MD5CryptoServiceProvider(); var authernticatorMd5 = md5.ComputeHash(autherRaw.ToArray()); Console.WriteLine("MD5:" + BitConverter.ToString(authernticatorMd5)); Console.WriteLine("TAG:" + BitConverter.ToString(responsePaket.Authenticator)); var MAuthRaw = new List<byte>(); MAuthRaw.Add(2); MAuthRaw.Add(0); MAuthRaw.AddRange(new byte[] { 00, 0x2C }); MAuthRaw.AddRange(request.Authenticator); foreach (var a in responsePaket.Attributes) { if (a.Paket[0] == 80) { MAuthRaw.AddRange(a.Paket.Take(2)); for (int i = 0; i < 16; i++) { MAuthRaw.Add(0); } } else { MAuthRaw.AddRange(a.Paket); } } var hmacMD5 = HMACMD5.Create("HMACMD5"); hmacMD5.Key = Encoding.ASCII.GetBytes("1111122222"); var hmacBytes= hmacMD5.ComputeHash(MAuthRaw.ToArray()); Console.WriteLine("HMAC-TAG:D1-B1-36-29-F5-7D-1C-65-CB-BC-DA-57-DE-49-E7-3C"); Console.WriteLine("HMAC-Cup:" + BitConverter.ToString(hmacBytes));
1.Message-Authenticator计算时
参考文档:
Message-Authenticator = HMAC-MD5 (Type, Identifier, Length,
Request Authenticator, Attributes)
When the checksum is calculated the signature string should be
considered to be sixteen octets of zero.
这里的Type,应该是Response paket的 Code, Attributes,由于包括了Message-Authenticator Attribute,
在计算时间时,填充16个字节的0来计算,即 byte[]{80,18,00,00...,00}
另外HMAC-MD5(Type, Identifier, Length, Request Authenticator, Attributes)表示
HMAC-MD5(Type + Identifier + Length +Request Authenticator + Attributes)
Access-Accept packet中type= byte[]{02},Attributes 是完整包,如 Message-Authenticator Attribute =byte[]{80,18,x,x,x....x},
2.Response Authernticator 的计算,需要先完成上面的Message-Authernticator 计算
3.User-Password字段的计算与解密
/// <summary> /// /// </summary> /// <param name="pwdAttrPaket">User-Password段,包括type跟length+x...</param> /// <param name="SharedSecret"></param> /// <param name="RequestAuthenticator"></param> /// <returns></returns> public static byte[] EncodePAPPwd(String pwdStr, string SharedSecret, byte[] RequestAuthenticator) { var pwdBytes = Encoding.Default.GetBytes(pwdStr); var dataLen = pwdBytes.Length / 16; var r = pwdBytes.Length % 16; if (r != 0) { dataLen++; } var pArr=new byte[dataLen * 16]; Array.Copy(pwdBytes, pArr, pwdBytes.Length); //补0字节处理 if (r != 0) { for (int i = pwdBytes.Length; i < pArr.Length; i++) { pArr[i] = 0; } } var bi = new byte[16]; var ciArr = new byte[pArr.Length]; var shareSecretBytes = Encoding.Default.GetBytes(SharedSecret); var tmp = new byte[shareSecretBytes.Length + 16]; Array.Copy(shareSecretBytes, tmp, shareSecretBytes.Length); Array.Copy(RequestAuthenticator, 0, tmp, shareSecretBytes.Length, 16); Array.Copy(MD5.Create("MD5").ComputeHash(tmp), bi, 16); for (int i = 0; i < dataLen; i++) { for (int bIndex = 0; bIndex < 16; bIndex++) { ciArr[i * 16 + bIndex] =(byte)( bi[bIndex] ^ pArr[i * 16 + bIndex]); } Array.Copy(ciArr, i * 16, tmp, shareSecretBytes.Length, 16); Array.Copy(MD5.Create("MD5").ComputeHash(tmp), bi, 16); } return ciArr; } /// <summary> /// /// </summary> /// <param name="pwdAttrPaket">User-Password段,包括type跟length+x...</param> /// <param name="SharedSecret"></param> /// <param name="RequestAuthenticator"></param> /// <returns></returns> public static byte[] DecodePAPPwd(byte[] pwdAttrPaket, string SharedSecret, byte[] RequestAuthenticator) { var chunksCount = (pwdAttrPaket.Length - 2) / 16; var biArr = new byte[pwdAttrPaket.Length - 2]; var shareSecretBytes= Encoding.Default.GetBytes(SharedSecret); var tmp = new byte[shareSecretBytes.Length + 16]; Array.Copy(shareSecretBytes, tmp, shareSecretBytes.Length); Array.Copy(RequestAuthenticator, 0, tmp, shareSecretBytes.Length, 16); Array.Copy( MD5.Create("MD5").ComputeHash(tmp),biArr,16); for (int i = 1; i < chunksCount; i++) { Array.Copy(pwdAttrPaket, ((i - 1) * 16) + 2, tmp, shareSecretBytes.Length, 16); Array.Copy(MD5.Create("MD5").ComputeHash(tmp), 0, biArr, i * 16, 16); } for (int i = 0; i < biArr.Length; i++) { biArr[i] =(byte)( biArr[i] ^ pwdAttrPaket[2 + i]); } return biArr; }