strongSwan

Hi,

If IKEv2 is an option, you should consider implementing this authentication method using EAP. It is rather simple to add new EAP methods. As client you'd acquire that fingerprint pattern object and send it over EAP, the server then can verify the pattern. When using EAP, the exchange is protected by certificate authentication for the server. This is important, as otherwise an attacker could intercept your fingerprint data as man-in-the middle and use it to authenticate against a the server.

To implement an EAP method you can add your own plugin. Have a look at the eap-md5 plugin for a template to start with.

Regards
Martin

Hi,

Great! Thank you very much for your fast reply. This is now much clearer.

I will look at that to see how to handle this.

Best regards,
Lionel

Hey Martin,

Just a little question, how do I test the code that I wrote ? Do I need the recompile the all projet ? or is there a way to test feature separately ?

Thanks for your reply :)

Kind regards,
Lionel

Hey,

May I ask you to tell me how do I test the plugin without re-compiling the all project?

Thanks!

Kind regards,

Hi Tobias,

Thank you for you reply, I gonna try that way (compile out of the source tree). If it doesn't work, I'm gonna compile it within the tree.

Actually, I have to develop a plugin based on eap since the communication need to be secured as this is high sensitive biometric data which will be exchanged. So, I will need the headers for libcharon also or I haved missed the plot?

Thank you for helping me :)

Kind regards,
Lionel

Hi,

Ok, I've successfully compiled my plugin outside the source tree. I've inspected the Makefile of each plugins and saw that they had ref for libstrongswan, libcharon, libhydra, which is normal. So, I linked these in my compiler and compilation went out successfully.

For the purpose of my thesis, I am gonna use the experimental field of EAP the add my authentication method, do you think that it is a good idea? I see no other opportunity as other EAP field are proprietary.

Thank you for your support.

Kind regards,
Lionel.

I am gonna use the experimental field of EAP the add my authentication method, do you think that it is a good idea? I see no other opportunity as other EAP field are proprietary.

What experimental field are you referring to? EAP type 255? I guess you could use that, but you'd have to configure that numerically (eap-255). Alternatively, you could define a vendor specific EAP method with your own vendor ID (PEN), which you may configure as eap-<type>-<vendor> (where type and vendor are numeric identifiers).

Yes, that's the EAP type 255.

Hoo, so I will have to use eap-255 has the name of my plugin. That's not very sexy...

The second method looks better, stupid question but how do I setup my own vendor ID? I see the pen_t type in pen.h header but how to deal with that? I think that they are no vendor specific EAP method for the biometric stuff, I'll to write my own.

My plugin name is currently eap_pam_fprint as biometric data will be stored in the account of the user and I am using libfprint for the biometric part.

Sorry for the dumb question but strongswan is the most biggest and interesting project I've never seen :)

Hoo, so I will have to use eap-255 has the name of my plugin. That's not very sexy...

The actual name of the plugin does not matter. But to identify the EAP method e.g. in configuration options like rightauth you'd have to use eap-255 (this obviously only allows one plugin to provide an experimental EAP method at a time).

The second method looks better, stupid question but how do I setup my own vendor ID? I see the pen_t type in pen.h header but how to deal with that?

A PEN may be requested from IANA. However, that's mainly for organizations so you should probably talk to someone at your university, they may already have one (you can also check the list of registered PENs and contact the person responsible). The department at our university that develops strongSwan, for instance, has its own PEN: 36906/0x902A. Since PENs are just 3-byte integers you don't really have to change anything in pen.h (unless you want to stringify a new PEN). I guess for testing you could just use an existing PEN (e.g. ours).

I also just noticed that you can't use the EAP_SERVER/PEER plugin features for vendor specific EAP methods, so these methods have to be registered manually at charon->eap e.g. via PLUGIN_CALLBACK.

Thanks for your reply.

I guess for testing you could just use an existing PEN (e.g. ours).

Ok, so how can I use yours for testing ? I guess there should be an eap->pen to fix it or this is at compilation level. Sorry to annoy you but this is new for me...

I also just noticed that you can't use the EAP_SERVER/PEER plugin features for vendor specific EAP methods, so these methods have to be registered manually at charon->eap e.g. via PLUGIN_CALLBACK.

like the way I did for my plugin definition :

static plugin_feature_t f[] = {
PLUGIN_CALLBACK(eap_method_register, eap_pam_fprint_create_server),
PLUGIN_PROVIDE(EAP_SERVER, EAP_EXPERIMENTAL),
PLUGIN_DEPENDS(CRYPTER, ENCR_DES_ECB, 8),
PLUGIN_CALLBACK(eap_method_register, eap_pam_fprint_create_peer),
PLUGIN_PROVIDE(EAP_PEER, EAP_EXPERIMENTAL),
PLUGIN_DEPENDS(CRYPTER, ENCR_DES_ECB, 8),
};
*features = f;
return countof(f);

I still need to registered some extra method.. This is not finished.

I guess for testing you could just use an existing PEN (e.g. ours).

Ok, so how can I use yours for testing ? I guess there should be an eap->pen to fix it or this is at compilation level. Sorry to annoy you but this is new for me...

Just use PEN_ITA as vendor ID when registering the EAP method via charon->eap. And then use eap-<your type>-36906 to configure it.

I also just noticed that you can't use the EAP_SERVER/PEER plugin features for vendor specific EAP methods, so these methods have to be registered manually at charon->eap e.g. via PLUGIN_CALLBACK.

like the way I did for my plugin definition :

Yes, this won't work for vendor specific methods because the PLUGIN_PROVIDE(EAP_SERVER|PEER, ...) macros take a single eap_type_t, not a eap_vendor_type_t (we could probably define some new EAP_SERVER|PEER_VENDOR macros for this purpose). So as mentioned, vendor specific methods have to be registered manually.

Anyway, using EAP_EXPERIMENTAL really works too if this is just a proof of concept, it will just be problematic for interoperability later.

So to summarize, if I'm using vendor specific method, I will have to go the old way :

eap_pam_fprint_plugin_t *this = malloc_thing(eap_pam_fprint_t);
this->plugin->destroy = (void(*) (plugin_t*))destroy;
charon->eap->add_method(charon->eap, EAP_VENDOR_SPECIFIC, PEN_ITA, EAP_PEER, (eap_constructor_t)eap_pam_fprint_create_peer);
return &this->plugin;

But as I'm using EAP_EXPERIMENTAL field I can go the new way :

static plugin_feature_t f[] = {
PLUGIN_CALLBACK(eap_method_register, eap_pam_fprint_create_server),
PLUGIN_PROVIDE(EAP_SERVER, EAP_EXPERIMENTAL),
PLUGIN_DEPENDS(CRYPTER, ENCR_DES_ECB, 8),
PLUGIN_CALLBACK(eap_method_register, eap_pam_fprint_create_peer),
PLUGIN_PROVIDE(EAP_PEER, EAP_EXPERIMENTAL),
PLUGIN_DEPENDS(CRYPTER, ENCR_DES_ECB, 8),
};
*features = f;
return countof(f);

Is it correct what I have written above ?

Is it correct what I have written above ?

Yes (although you could use the INIT macro to initialize the plugin).

The commit in the eap-feature-vendor branch I just pushed actually adds the possibility to register vendor specific methods via PLUGIN_PROVIDE and the new EAP_SERVER|PEER_VENDOR feature.

Thank you,

Yes my INIT macro is the same as the md5 one.

plugin_t *eap_pam_fprint_plugin_create() {
eap_pam_fprint_plugin_t *this;

INIT(this,
         .plugin = {
            .get_name = _get_name,
            .get_features = _get_features,
            .destroy = _destroy,
         },
    );
    return &this->plugin;
}

Hello this is me again.

It's been a long time but I took some holidays.

For the client side I need to interactively asked the user for login and to swipe his finger through the sensor.
So basically for the connection, user will have to type :
prompt $ ipsec eap_biometric up
login : lionel
swipe your finger now.
Swipe ok, verfiying the data...
etc.

So in the plugin side which method is invoke when calling ipsec up command ? initiate_server ? I need to know where those printf need to go.

Thank you very much.

Lionel.

So basically for the connection, user will have to type :
prompt $ ipsec eap_biometric up
login : lionel
swipe your finger now.
Swipe ok, verfiying the data...
etc.

So in the plugin side which method is invoke when calling ipsec up command ? initiate_server ? I need to know where those printf need to go.

There is no explicit callback for that. And you won't have access to the stream that interacts with the user anyway (this works via stroke socket). The interaction between the stroke command and the stroke plugin is currently strictly limited to a few password queries (source:src/stroke/stroke.c#L109). You can send log messages to the console though (e.g. to notify the user to swipe the finger).

Sorry but it doesn't really help me. Can you show me a concrete example of message dispatching, ex. "Swipe your finger now." ?

How do I need to use the ipsec stroke command ? I see the add and up option in stroke but this is not very explicit, sorry :'(

Sorry for bothering you.

Lionel.

Can you show me a concrete example of message dispatching, ex. "Swipe your finger now." ?

Any log message on level 1 will do (e.g. DBG1(DBG_CFG, "Swipe your finger now");).

How exactly does the authentication scheme work? Is there any challange response involved when the fingerprint is scanned? Or is it possible to do that before the actual authentication is started? If so, you could perhaps write your own "init" client that asks the user for the username and to swipe the finger, then passes that data to your authentication plugin via your own socket interface, and finally starts the connection by sending the appropriate command over the stroke socket (or by running ipsec up, although the username might have to be configured too). Depending on how the fingerprinting data is stored (and how the authentication works) the ipsec stroke user-creds command could also be used to pass the data to the daemon (at least to set the username if you don't want to store that).

How do I need to use the ipsec stroke command ?

What do you mean? Usually, you'd just use the ipsec command. Only if you need a command that is not wrapped by the ipsec script (e.g. user-creds) you'll need to use ipsec stroke <command>. The add command, though, won't be of any use (it's very limited - connections in ipsec.conf are sent to the stroke plugin by the starter daemon not by stroke).

Any log message on level 1 will do (e.g. DBG1;).

Thank you.

Is there any challange response involved when the fingerprint is scanned?

No there is now challenge require. This is already quite complicated I will go the simple way. I could just then simply write a C program which ask the username and to swipe the fingerprint and pass that data via my own socket interface if I'm understanding well. This init will be invoked by the ipsec command ?

What do you mean? Usually, you'd just use the ipsec command. Only if you need a command that is not wrapped by the ipsec script (e.g. user-creds) you'll need to use ipsec stroke <command>. The add command, though, won't be of any use (it's very limited - connections in ipsec.conf are sent to the stroke plugin by the starter daemon not by stroke).

Ok I understand now.

Thank you for your nice help.

This init will be invoked by the ipsec command ?

No, you'd have your users use your own program to initiate the connection instead of using ipsec up.

No, you'd have your users use your own program to initiate the connection instead of using ipsec up.

Ok, and then pass the data via my own socket interface.

Hi,

I wrote some code on my plugin and it is compiling out of the source tree without error.
Now, I would like to integrate it into to master tree of strongswan to see it in action.

By a grep I found that the plugins definition stands in the configure.ac file. So I add these both line :

ARG_ENABL_SET([eap-fprint], [enable EAP LIBFPRINT authentication module.])

ADD_PLUGIN([eap-fprint], [c charon nm cmd])

What c, nm, and cmd stand for ? I guess c is for libcharon, nm is network-manager and cmd is for ?? command-line ??

Now, I would like to integrate it into to master tree of strongswan to see it in action.

You don't have to integrate it into the tree to see it in action. Just copy the plugin (the .so file) to the right location (default is /usr/local/lib/ipsec/plugins) with the right name (libstrongswan-<pluginname>.so). Then load it in the daemon.

ADD_PLUGIN([eap-fprint], [c charon nm cmd])

What c, nm, and cmd stand for ? I guess c is for libcharon, nm is network-manager and cmd is for ?? command-line ??

ADD_PLUGIN extends the plugin lists defined above these statements (cmd is the list used by charon-cmd by default).

Wow, nice thank you !

This is indeed easier than what I was thinking about ;o)

I am going to try this.