Overview  Package   Class  Use  Tree  Deprecated  Index 
AXL Software®
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

com.theorem.radius3
Class RADIUSEncrypt

Object
  extended byRADIUSEncrypt
public final class RADIUSEncrypt
extends Object

Encrypt a password in the RADIUS style. This creates a new authenticator, or encrypts the password. This might be useful in an Access-Challenge.

Field Summary
static String encoding
          Default encoding is UTF8 for passwords.
 
Constructor Summary
RADIUSEncrypt()
           
 
Method Summary
static boolean cmp(byte[] a, byte[] b)
          Compare two byte arrays.
static byte[] decipherTunnelPassword(byte[] data, byte[] secret, byte[] authenticator)
          Decipher a Tunnel-Password attribute value; this is known as encoding type 2.
static byte[] decrypt(byte[] encBytes, byte[] secretBytes, byte[] authenticator)
          Decode a PAP password from the User-Password attribute, the secret, and the authenticator also known as type 1 encoding.
static byte[] encipherTunnelPassword(byte[] data, byte[] secret, byte[] authenticator)
          Deprecated. Please see saltEncode(byte[] salt, byte[] data, byte[] secret, byte[] authenticator).
static byte[] encode3(byte[] data, byte[] secretBytes, byte[] authenticator)
          Ascend encoding also known as type 3 encoding providing bidirectional encoding/decoding.
static byte[] encrypt(byte[] password, byte[] secretBytes, byte[] authenticator)
          Encrypt the PAP password, also known as encoding type 1.
static byte[] genAuthenticator()
          Generate the RADIUS authenticator.
static byte[] limitSecretLength(byte[] data)
          Limit the maximum amount of data the shared secret to 128 bits (16 bytes).
static byte[] password(byte[] pwdBytes, byte[] secretBytes, byte[] authenticator)
          Encrypt the PAP password.
static byte[] password(String password, byte[] secretBytes, byte[] authenticator)
          Encrypt the password.
static byte[] password(String password, String secret, byte[] authenticator)
          Encrypt the password.
static byte[] password(String password, String passwordEnc, byte[] secretBytes, byte[] authenticator)
          Deprecated. Encoding for RADIUS is always UTF8.
static byte[] password(String password, String passwordEnc, String secret, String secretEnc, byte[] authenticator)
          Encrypt the password.
static byte[] saltDecode(byte[] data, byte[] secret, byte[] authenticator)
          Decode data encoded using a two byte salt value.
static byte[] saltEncode(byte[] data, byte[] secret, byte[] authenticator)
          Encode data using a random two byte salt value.
static byte[] saltEncode(byte[] salt, byte[] data, byte[] secret, byte[] authenticator)
          Encode data using a two byte salt value.
static byte[] trim(byte[] passwordBytes)
          Remove nulls from the end of the password byte array from decrypt.
 
Methods inherited from class Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

encoding

public static final String encoding
Default encoding is UTF8 for passwords.

See Also:
Constant Field Values
Constructor Detail

RADIUSEncrypt

public RADIUSEncrypt()
Method Detail

password

public static byte[] password(String password,
                              String passwordEnc,
                              String secret,
                              String secretEnc,
                              byte[] authenticator)
Encrypt the password. Used when custom encoding of both the password and secret are required when converting to byte arrays.

Parameters:
password - Password to encrypt.
passwordEnc - character encoding.
secret - NAS secret used in encryption.
secretEnc - NAS secret character encoding.
authenticator - Authenticator from packet.
Returns:
encrypted password.

password

public static byte[] password(String password,
                              String secret,
                              byte[] authenticator)
Encrypt the password. Uses standard ASCII encoding for both the password and secret when converting to byte arrays.

Parameters:
password - Password to encrypt.
secret - NAS secret used in encryption.
authenticator - Authenticator from packet.
Returns:
encrypted password.

password

public static byte[] password(String password,
                              String passwordEnc,
                              byte[] secretBytes,
                              byte[] authenticator)
Deprecated. Encoding for RADIUS is always UTF8.

Encrypt the password. Used when only the password requires special character encoding when converting to byte arrays The NAS secret has already been converted to bytes.

Parameters:
password - Password to encrypt.
passwordEnc - character encoding.
secretBytes - NAS secret used in encryption as a byte array.
authenticator - Authenticator from packet.
Returns:
encrypted password.

password

public static byte[] password(String password,
                              byte[] secretBytes,
                              byte[] authenticator)
Encrypt the password. Used when only the password is a string. The NAS secret has already been converted to bytes.

Parameters:
password - Password to encrypt.
secretBytes - NAS secret used in encryption as a byte array.
authenticator - Authenticator from packet.
Returns:
encrypted password.

password

public static byte[] password(byte[] pwdBytes,
                              byte[] secretBytes,
                              byte[] authenticator)
Encrypt the PAP password. This is the same as password method, but with a different name. Used when both the password and secret strings have been converted to byte arrays.

Parameters:
pwdBytes - Password to encrypt as a byte array
secretBytes - NAS secret as a byte array.
authenticator - Authenticator from packet.
Returns:
encrypted password.

saltEncode

public static byte[] saltEncode(byte[] salt,
                                byte[] data,
                                byte[] secret,
                                byte[] authenticator)
Encode data using a two byte salt value. This is used to encode RADIUS attribute data (or any other data) using a SALT. This has been described in an RFC draft "Salt-Encryption of RADIUS Attributes" (draft-ietf-radius-saltencrypt-00.txt) and is used by Cisco®. The resulting encoded data length is the same length as the original data plus the salt bytes.

Parameters:
salt - Two byte salt value.
data - Data to encode.
secret - RADIUS shared secret.
authenticator - RADIUS authenticator.
Returns:
The encoded data.

saltEncode

public static byte[] saltEncode(byte[] data,
                                byte[] secret,
                                byte[] authenticator)
Encode data using a random two byte salt value. This is used to encode RADIUS attribute data (or any other data) using a SALT. This has been described in an RFC draft "Salt-Encryption of RADIUS Attributes" (draft-ietf-radius-saltencrypt-00.txt) and is used by Cisco®. The resulting encoded data length is the same length as the original data plus the salt bytes.

Parameters:
data - Data to encipher.
secret - RADIUS shared secret.
authenticator - RADIUS authenticator.
Returns:
The encoded data.

saltDecode

public static byte[] saltDecode(byte[] data,
                                byte[] secret,
                                byte[] authenticator)
Decode data encoded using a two byte salt value. This is used to decode RADIUS attribute data (or any other data) using a SALT.

Parameters:
data - Data to decode.
secret - RADIUS shared secret.
authenticator - RADIUS authenticator.
Returns:
The decoded data.

encipherTunnelPassword

public static byte[] encipherTunnelPassword(byte[] data,
                                            byte[] secret,
                                            byte[] authenticator)
Deprecated. Please see saltEncode(byte[] salt, byte[] data, byte[] secret, byte[] authenticator).

Encipher Tunnel-Password information; this is known as encoding type 2. This Salt encoding includes a length field and padding.

Parameters:
data - Plain text data to encode.
secret - Shared secret.
authenticator - Radius request authenticator.
Returns:
The encoded tunnel password. It will be prefixed with the two random salt bytes.
Since:
3.35

decipherTunnelPassword

public static byte[] decipherTunnelPassword(byte[] data,
                                            byte[] secret,
                                            byte[] authenticator)
Decipher a Tunnel-Password attribute value; this is known as encoding type 2.

This algorithm performs a salt encoding of data but differs from the Salt Encoding by prepending a byte count field to the data.

Parameters:
data - Encoded data.
secret - Shared secret.
authenticator - Radius request authenticator
Returns:
The decoded data.
Since:
3.35

encrypt

public static byte[] encrypt(byte[] password,
                             byte[] secretBytes,
                             byte[] authenticator)
Encrypt the PAP password, also known as encoding type 1.

Parameters:
password - Password to encrypt.
secretBytes - NAS secret.
authenticator - Authenticator from packet.
Returns:
encrypted password.

decrypt

public static byte[] decrypt(byte[] encBytes,
                             byte[] secretBytes,
                             byte[] authenticator)
Decode a PAP password from the User-Password attribute, the secret, and the authenticator also known as type 1 encoding. An ArrayIndexOutOfBoundsException will be thrown if the password is too short.

Parameters:
encBytes - Encoded bytes.
secretBytes - Bytes forming the shared secret.
authenticator - Packet authenticator.
Returns:
decoded bytes of the password.

encode3

public static byte[] encode3(byte[] data,
                             byte[] secretBytes,
                             byte[] authenticator)
Ascend encoding also known as type 3 encoding providing bidirectional encoding/decoding.

Parameters:
data - Data to encode / decode.
secretBytes - Bytes forming the shared secret.
authenticator - Packet authenticator.
Returns:
the opposite value - either the encode or decoded value.
Since:
Server 3.44

trim

public static byte[] trim(byte[] passwordBytes)
Remove nulls from the end of the password byte array from decrypt. Decrypt will leave trailing zeroes at the end of a password as padding. Note: this trims nulls, not spaces.

Parameters:
passwordBytes - Password bytes as returned from decrypt.
Returns:
byte array without the trailing nulls.

cmp

public static boolean cmp(byte[] a,
                          byte[] b)
Compare two byte arrays.

Parameters:
a - array a
b - array b
Returns:
true if they're the same.

genAuthenticator

public static byte[] genAuthenticator()
Generate the RADIUS authenticator. 
 "Request Authenticator field SHOULD exhibit global and temporal
 uniqueness."
 We do this partly by hiding the origin of the random number
 by using a relatively unknown generator that's seeded by
 Java's generator seeded with the time.  All silliness since
 the Shared Secret is probably really short.

Returns:
Generates a 16 byte pseudo-random value.

limitSecretLength

public static byte[] limitSecretLength(byte[] data)
Limit the maximum amount of data the shared secret to 128 bits (16 bytes). This is useful for export purposes where the shared secret must be limited.

Parameters:
data - Input secret.
Returns:
Limited length secret.
Overview  Package   Class  Use  Tree  Deprecated  Index 
AXL Software®
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Submit a bug report or feature request

Copyright 1998-2009 AXL Software® PO Box 97, Viola, Delaware 19979, U.S.A. All Rights Reserved.