The DHX (Diffie-Hellman Exchange) UAM provides a relativly secure way to transport cleartext passwords of up to 64 characters to the server for further processing.
Requirements for Running the DHX UAM 1.0
• AppleShare Client: 3.8.1 or later
Installing the DHX UAM 1.0
The UAM should be placed in a folder titled "AppleShare Folder" within the Extensions folder in the current System Folder. No reboot is needed, though you must close the Chooser & Network Browser and re-open them before the new UAM will be noticed.
Using the DHX UAM 1.0
If the server you are connecting to supports the DHX UAM, the AppleShare Client will display a dialogue allowing you to choose "Encrypted Password" as a login mechanism. Select this UAM and fill in your password and username just as you would for the standard AppleShare login dialogue.
Algorithms Used
password is padded with nulls to 64 bytes
username is a pstring, padded to even byte length (odd number of chars)
ServerSig is obtained from the AFPSrvrInfo reply from the server.
first message from client to server:
| login (2 bytes) | AFP Vers | UAMName "DHCAST128" | Username (padded) | Ma (16 bytes) |
(data)K = Encrypt data using CAST 128 CBC with key = K
The Key is generated with a Diffie-Hellman key exchange as follows:
Ma - first message = g^Ra mod p (sent by the Client to the Server)
Mb - second message = g^Rb mod p (sent by the Server to the Cleint)
K - Key = Mb^Ra mod p = Ma^Rb mod p
We are using CAST 128, (the implementation from SSLeay) in CBC mode with the IV in the second message being the bytestring "CJalbert" and the IV in the third message being the bytestring "LWallace".
Known Incompatibilities and Limitations
• There seems to be a problem between Norton Antivirus and the DHX UAM. The client Macintosh will crash with an illegal instruction when the user types into the username or password fields. The workaround is to turn off Norton Antivirus.
