mIRC Home    About    Download    Register    News    Help

Print Thread
/challenge or additional crypto identifiers #270513 18/07/22 04:28 PM
Joined: Oct 2021
Posts: 2
M
moonmoon Offline OP
Bowl of petunias
OP Offline
Bowl of petunias
M
Joined: Oct 2021
Posts: 2
I'm looking into how to make the /CHALLENGE command work in mIRC, and while it'd be neat if it was just directly supported, it's such a niche feature that I won't hold my breath. /CHALLENGE is a means of obtaining IRC operator status on a handful of networks that uses an RSA key-based challenge/response method instead of a typical /OPER password. I'll detail the exact protocol below:

  1. The client issues /CHALLENGE opername to the server
  2. The server responds with one or more lines of the 740 numeric (which contains the base64-encoded challenge text), for example :irc.example.com 740 opername :Abd84Dd0d8s14dddd98492
  3. The server sends a 741 numeric to indicate that it is done sending base64-encoded challenge text
  4. The client takes the base64-encoded challenge text from all of the 740 lines, combines them together, and then base64-decodes them to obtain the encrypted challenge
  5. The client decrypts the encrypted challenge using its RSA private key and PKCS#1 OAEP padding to obtain the decrypted challenge
  6. The client hashes the decrypted challenge using SHA-1 and base64-encodes the binary result of that hash to obtain the encodedHash
  7. The client responds to the server with /CHALLENGE +encodedHash (note the leading + character)


If an error occurs somewhere in the process, either a 464 or 491 numeric will be issued.

Supporting this command natively poses a handful of challenges regarding the generation and storage of the RSA keys, however this would be achievable in mIRC scripting if it supported the following additional identifiers (which should be a lot easier to support as they can be effectively wrappers around functions present in OpenSSL):
  • Open a potentially password-protected RSA key and store it for later use--this could read directly from the file the key is stored in, or it could be passed a string that was obtained via successive calls to $read()
  • RSA decryption
  • PKCS#1 OAEP padding removal
  • base64 encoding/decoding

Re: /challenge or additional crypto identifiers [Re: moonmoon] #270514 18/07/22 04:55 PM
Joined: Jan 2004
Posts: 1,799
maroon Offline
Hoopy frood
Offline
Hoopy frood
Joined: Jan 2004
Posts: 1,799
Do you have an example of a network where this is used?
Also, I'm curious what advantage this would have over simply using the fact that you've logged into their server via SASL External. Instead of doing a challenge, the server could instead give oper to a login that has been verified by the SASL handshake as being in possession of the the private key matching the certificate that's recognized as being the oper.

Re: /challenge or additional crypto identifiers [Re: maroon] #270515 18/07/22 05:06 PM
Joined: Oct 2021
Posts: 2
M
moonmoon Offline OP
Bowl of petunias
OP Offline
Bowl of petunias
M
Joined: Oct 2021
Posts: 2
Used on Libera. SASL EXTERNAL is for logging onto a NickServ account, /challenge is for becoming an oper -- two completely separate things. While what you describe could potentially happen, nothing like that currently exists in server-side code and I highly doubt there would be much of an appetite between the rest of the staff to completely change how we oper up.

Re: /challenge or additional crypto identifiers [Re: maroon] #270516 18/07/22 05:19 PM
Joined: Feb 2011
Posts: 411
K
KindOne Offline
Pan-dimensional mouse
Offline
Pan-dimensional mouse
K
Joined: Feb 2011
Posts: 411


irc.swiftirc.net #msl (mIRC Scripting Language)
Re: /challenge or additional crypto identifiers [Re: moonmoon] #270541 21/07/22 10:26 AM
Joined: Jan 2004
Posts: 1,799
maroon Offline
Hoopy frood
Offline
Hoopy frood
Joined: Jan 2004
Posts: 1,799
When I asked my question, it was with the intent of testing this, but now I realize without seeing a packet challenge and the private key that's supposed to respond to it, that I can't test this, and can't do that without being oper whereever