[RADIATOR] AuthBy SQLTOTP with encrypted secrets (RcryptKey)

Schnurrenberger Tobias (ID) tobias.schnurrenberger at id.ethz.ch
Fri Sep 22 08:50:54 UTC 2023

Dear Heikki

Thanks for your answer and confirming it cannot be done inside Radiator.

I will look into proprietary DB functions, first of all PostgreSQLs pgcrypto package with functions like pgp_sym_decrypt(). Actually I prefer the decryption key to be stored on the Radiator machine rather than inside the database. If the decryption key would be stored at the same place like the encrypted secrets it would not be a security advantage.

Best regards,

> Date: Mon, 18 Sep 2023 18:00:42 +0300
> From: Heikki Vatiainen <hvn at open.com.au>
> To: radiator at lists.open.com.au
> Subject: Re: [RADIATOR] AuthBy SQLTOTP with encrypted secrets
> (RcryptKey)
> Message-ID: <6381c5c2-a2ba-4e15-9907-7001480e0a64 at open.com.au>
> Content-Type: text/plain; charset=UTF-8; format=flowed
> On 12.9.2023 15.21, Schnurrenberger Tobias (ID) via radiator wrote:
>> Is it somehow possible to store the shared secret in the SQL database in Rcrypt encrypted format and tell radiator to decrypt it whit the given key? I could not find such configuration options in the docs.
>> Could it be done e.g. with a hook?
> Hello Tobias,
> currently this is not possible. There's no hook or other transformation 
> possibility for the shared secret.
> One option you could consider is encrypting the CB column that holds the 
> shared secret. I think it's even possible to create a view, or function, 
> that decrypts the value when Radiator selects it from the DB. This could 
> be used to hide the encryption/decryption key completely from Radiator 
> configuration because the transformation is done on the DB side.
>> We are using radiator version 4.27-1 with this config snippet:
>> AuthSelect SELECT base32_decode_to_hex(secret), active, pin, digits, bad_logins, accessed, last_timestep, algorithm, timestep, timestep_origin from RADIUS_TOTP_KEYS WHERE username=?
> If base32_decode_to_hex() is already a local function you have created, 
> then adding something similar for decrypting the value during the select 
> might be worth experimenting with.
> Thanks,
> Heikki
> -- 
> Heikki Vatiainen
> OSC, makers of Radiator
> Visit radiatorsoftware.com for Radiator AAA server software
> ------------------------------
> Subject: Digest Footer
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator
> ------------------------------
> End of radiator Digest, Vol 171, Issue 9
> ****************************************

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4222 bytes
Desc: not available
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20230922/2bc34166/attachment.p7s>

More information about the radiator mailing list