I would really suggest you seek someone with some cryptographic knowledge or
read a good book on security and cryptography BEFORE building a good radius
server application.
This is not meant to be hard on you, but really, when developing
applications for security, do it good!
It also is not specific to .NET, its used in general, everywhere.
Starting with some basics:
Secure Hash functions, such as MD5, SHA-1, SHA-256 have a single property,
they are one way. This means it is possible to easily derive h (hash code,
the output) from p (plaintext). So h = MD5(p) is simple.
For someone with only h, it should be impossible in practice to find a
(computionally unfeasable) p that satisfies h = MD5(p).
During an authentication process you don't want someone to actually read the
password, so if you are able to derive p from h, then anyone else can too.
So sending h will not provide any information about the password. Its still
vulnerable, since when I know h (which is send over the network) I can also
impersonate you. So this way should not be used.
Basically you do MD5(server_stored_p) = MD5(client_given_p).
A challenge/response authentication works much better:
I send you 'r' being a random value.
You send me h = MD5(client_given_p + r)
I compare MD5(server_stored_p + r) which must match.
Of course
I send you 'r' being a random value.
You send me h = MD5( MD5(client_given_p) + r)
I compare MD5( MD5(server_stored_p) + r) which must match.
will work too.
Please, do youself a favor and get into security!
Always remember, encryption is only a tiny subset of security.
A second problem for you would be storing the passwords plain in a database.
This is very bad security practice. At least try to store hashes.
Books on cryptography.
http://www.google.nl/search?q=cryptography+books&ie=UTF-8&hl=nl&lr=
http://www.youdzone.com/cryptobooks.html
Also try "Applied Cryptography", which gives a very mathematical approach
and is a very good book. Its freely available from the internet (use
google).
- Joris
