NovellS Challenge Response System


This information was gathered from several places including Novell's web site in regards to NSPM.

Password Self Service and challenge/response#

To understand how Novell's challenge-response works, we need to understand how NMAS functions, because the Password Self-Service uses the Universal Password and the NMAS challenge-response method.

All NMAS methods consist of a Login Server Module (LSM) that runs on the server where eDirectory is located, and a Login Client Module (LCM) that can be run from a number of different locations. LCM's communicate with eDirectory via its corresponding LSM. The challenge-response LCM is written in Java so that it can be accessed by a servlet or a portlet. The challenge-response LSM accesses eDirectory and determines which set of challenges a user will have to answer. Then it determines whether the user will be authenticated to the network, based on the answers given. When you installed OES, the NMAS Challenge/Response method was also installed.

From LDAP#

NovellS Challenge Response System is implemented a SASL Mechanisms and is therefore defined within the rootDSE as a supportedSASLMechanisms of "NMAS_LOGIN". So essentially, all LDAP requests within the NovellS Challenge Response System are handled by NMAS

Password Policy (nspmPasswordPolicy)#

Novell's password self-service is implemented by defining a Novell password policy and associating the policy to a challenge set. So in our example, we have created a password policy, cn=generalusers,cn=Password%20Policies,cn=Security. This policy entry, and instance of "nspmPasswordPolicy", is linked to the nsimChallengeSet by an attribute "nsimForgottenAction"

Where are the Challenges and Responses Stored?#

That depends.

The questions are stored within the nsimChallengeSet entry that is associated to the nspmPasswordPolicy that is assigned to the user entry.

If the user has answered his challenges, then it is also defined on the user entry. This we assume is done as the questions could be changed within the nsimChallengeSet and then the user would not be able to use the NovellS Challenge Response System.

We believe, in the encrypted attribute sASLoginSecretKey. In addition the challenges are stored on the user entry within the SASLoginSecret along with the encrypted responses.

When a user answers their challenge-response questions the questions are determined from the nsimChallengeSet that is assigned to the nspmPasswordPolicy that is assigned to the user. The responses are stored in the NMAS Authentication Store on the user entry in the directory. More details are shown under nsimChallengeSet.

NMAS provides client management APIs to read and write from the configuration store, but they only write to the secret store. Only LSM's can read from the secret store. Also everything that is stored to these stores has an associated tag name. When storing the challenges and responses the challenges are stored in the configuration store as an XML string. The challenges XML string has the following format:

<Challenges RandomQuestions="2" GUID="123456">
 <Challenge Define="Admin" Type="Required" MinLength="2" MaxLength="20">
What is your ssn?
 <Challenge Define="User" Type="Required" MinLength="2" MaxLength="20">
My favorite cereal?
 <Challenge Define="Admin" Type="Random" MinLength="2" MaxLength="20">
What is your cost code number?
The responses are stored in the secret store as individual strings with the challenge text as the tag name.

Because the challenge and responses are stored in two different areas, and we can only write to the secret store, managing the challenges and responses and ensuring that we don't have orphaned responses becomes an important issue.

Fortunately, you can delete data from the secret store - so whenever a user modifies or removes a challenge it is necessary to remove the response and add it again. Because the challenges are added as a single string, it might be a good idea to simply remove all responses and add them again.

In Java there is an NMASChallengeResponseMgr class in the NMASToolKit.jar that simplifies this process by calling the appropriate functions to read and write to the config and secret stores. This class is used by the mapping application that I will have you download later.

There are some Methods to Set NSPM Challenge-Responses that we have located.

What Attributes Are used for#

Challenge Response Data, Simple Password, and possibly 3rd party NMAS data are in the following: (These are at least partially encrypted)

Security of NSPM System#

This was from smart authoritative people posted in Novell's public Forums from a Novell Employee:
<quote> User enrollment information for the challenge response is stored in both the SAS:Login Secret and the SAS:Login Configuration attributes.

The data that is stored in these attributes are encrypted using 3DES or DES depending upon the strength of the tree key (also known as the SDI key).

The keys that are used to encrypt the data stored in the SAS:Login Secret and the SAS:Login Configuration attributes is wrapped (encrypted) using the tree key and stored in the SAS:Login Secret Key and the SAS:Login Configuration Key attributes respectively. </quote>

More Information#

There might be more information for this subject on one of the following: