Question - How do I provide an uamsecret ???

[greemlin]

I need to logon to chilli. I have build the pepper.js and I am trying to use the library to logon from an angular app. Following the instructions I instatiated the peper object passed host and port and called logon... the callback function doesnt return the data object. I should also mention that the chilli is using an uamsecret. How do I provide it?

[mpangrazzi]

Hi!

You don't have to provide any uamsecret option to Pepper. uamsecret is a configuration option of CoovaChilli only.

However, I remember that CoovaChilli's JSON interface doesn't work if uamsecret option is enabled and configured. And, if CoovaChilli JSON interface doesn't work, Pepper doesn't work too.

Try to disable uamsecret, then try to logon with Pepper. If it works, you could open an issue to CoovaChilli reporting that problem. I will support you in that case.

[greemlin]

Thank you Michele for your answer an all your effords that make our work much easier! I will open an issue as you suggested.

[Spomky]

Hi,

The UAMSecret is used to hash the challenge before password computation. Hereafter a little script that uses this value. The UAMSecret must be the same as the one set in the coova chilli configuration:

$uam_secret = "J3ZYzRpqBC";

function encode_password($plain, $challenge, $secret) {
    if ((strlen($challenge) % 2) != 0 ||
        strlen($challenge) == 0)
        return FALSE;

    $hexchall = hex2bin($challenge);
    if ($hexchall === FALSE)
        return FALSE;

        // This is the most important part of the script.
        // If the secret UAMSecret is set, then the challenge is hashed using the UAMSecret and the result is used to encrypt the password
    if (strlen($secret) > 0) {
        $crypt_secret = md5($hexchall . $secret, TRUE);
        $len_secret = 16;
    } else {
        $crypt_secret = $hexchall;
        $len_secret = strlen($hexchall);
    }

    /* simulate C style \0 terminated string */
    $plain .= "\x00";
    $crypted = '';
    for ($i = 0; $i < strlen($plain); $i++)
        $crypted .= $plain[$i] ^ $crypt_secret[$i % $len_secret];

    $extra_bytes = 0;//rand(0, 16);
    for ($i = 0; $i < $extra_bytes; $i++)
        $crypted .= chr(rand(0, 255));

    return bin2hex($crypted);
}

It will be geat if this project could use this feature.

[mpangrazzi]

Hi Spomky,

uamsecret is described as "shared secret between uamserver and chilli". A typical use case is the following:

Client -> HTTP(S) POST -> PHP script (which uses your code and knows uamsecret) -> CoovaChilli (which of course knows uamsecret)

And we know that it works great. If you are using Pepper, the authentication flow is (almost) totally on client side:

Client with Pepper (JSONP call) <-> CoovaChilli (JSON interface)

uamsecret is supposed to be used on server side. If we put it on client side, we are potentially creating a security issue.

Can I ask you what exactly are your needs?

[Spomky]

You are right, at the moment I use the UAM Secret within my PHP script to increase the obfuscation of the password. If that shared secret is exposed on client side, then it becomes useless. So it is not relevant to implement such feature on a JS library. HTTPS connection and CHAP should be enough to prevent leak of username/password.

[mpangrazzi]

Yes, exactly :)