The DHX (Diffie-Hellman Exchange) UAM provides a relativly secure way to transport cleartext passwords of up to 64 characters to the server for further processing.
Requirements for Running the DHX UAM 1.0
• AppleShare Client: 3.8.1 or later
Installing the DHX UAM 1.0
The UAM should be placed in a folder titled "AppleShare Folder" within the extensions folder on the current System Folder. No reboot is needed, though you must close the Chooser & Network Browser and reopen them before the new UAM will be noticed.
Using the DHX UAM 1.0
If the server you are connecting to, supports the DHX UAM, the AppleShare Client will put up a dialog allwing you to choose "Encrypted Password" as a login mechanism. Select this UAM and fill in your password and username just as you would for the standard AppleShare login dialog.
Algorithms Used
password is padded with nulls to 64 bytes
username is a pstring, padded to even byte length (odd number of chars)
ServerSig is obtained from the AFPSrvrInfo reply from the server.
first message from client to server:
| login (2 bytes) | AFP Vers | UAMName "DHCAST128" | Username (padded) | Ma (16 bytes) |
(data)K = Encrypt data using CAST 128 CBC with key = K
The Key is generated with a Diffie-Hellman key exchange as follows:
Ma - first message = g^Ra mod p (sent by the Client to the Server)
Mb - second message = g^Rb mod p (sent by the Server to the Cleint)
K - Key = Mb^Ra mod p = Ma^Rb mod p
We are using CAST 128, (the implementation from SSLeay) in CBC mode with the IV in the second message being the bytestring "CJalbert" and the IV in the third message being the bytestring "LWallace".
Known Incompatibilities and Limitations
• There seems to be a problem between Norton Antivirus and the DHX UAM. The client mac will crash with an illegal instruction when the user types into the username or password fields. Workaround is to turn off Norton Antivirus.
