RAS-SMS


RAS-SMS is a simple extension to Microsoft's Remote Access Service (RAS). RAS-SMS adds two factor authentication to standard VPN/PPTP clients on Windows, Mac-OS and Linux. RAS-SMS uses your mobile phone instead of smart cards, RSA keys or USB tokens.

The problem

If you want to allow users to access your organization network from the outside you can quite easily set up a VPN server. This server will provide encrypted (private) access to your internal network from the internet. Users authenticate with their user name and password as credentials. However, the more users you have, the more likely it is that some of them will somehow fail in keeping their password a secret. There may be passwords that can be easily guessed, passwords may have been written down somewhere or even be 'temporarily' given away for others to gain access to the internal network. In the end, these kinds of password disclosure can lead to severe abuse of your network or the resources attached to it.

The solution

To prevent unknown users to enter your network, you can add some extra checks in the authentication procedure. Just give your users some physical device that can not be copied and extend the authentication procedure with a check for the availability of the physical device. There are many smart card or token providers that do this. The card contains some secret key that can not be copied and only be decoded by some software on your server. These devices are generally quite expensive ($30 - $150 a piece) and most of them require paid user licenses that have to be renewed every year. In addition to the cost, you get vendor lock-in by being tied to some contract that must be renewed each year. Also there is some extra complexity that you need to manage. At least some token providers are not able to deliver a turn-key solution and need partners to custom implement the PKI. In addition to that your IT-department needs training to be able to manage the stuff. So why not use something more obvious and more easy to manage? Most of your users probably have a cell phone. Cell phones are tied to a single user and cannot be copied. Now if your authentication scheme would require your users to enter a randomly generated code and the only way to obtain the code is through a text-message on the cell-phone then you have an alternative and easy way of two-way authentication!

How RAS-SMS works

RAS-SMS is an extension (dll) for the Microsoft VPN / PPTP server also known as Remote Access Service (RAS). RAS is a standard component of the Microsoft Windows Server family. RAS can be configured to use the Microsoft Internet Access Service (IAS), also a standard light weight component, not to be confused with ISA. By default RAS uses windows authentication directly when checking credentials. When configured for IAS, the authentication is relayed to IAS. IAS can be extended with extra authentication functions. This project, RAS-SMS, is about inserting such an extra authentication function based on the idea that users should enter randomly generated codes that were sent to their personal cell-phone number. Codes are only generated if users entered their credentials correclty.

Security

How about security? Some articles on the web claim that Microsoft RAS is not secure by the nature of it's design. As far as known the claim may be true for users that use passwords that exist in password dictionaries. In such cases the encryption could be broken by special software that somehow has access to the vpn data stream (point to point tunnel). For instance somebody could be eavesdropping the network traffic on your wireless lan (normally protected against through WPA) or on the guest lan (hotel, internet cafe, library, school, university). Please always use a password that is very unlikely to appear in some password dictionary out there! Now let's assume your next-door neighbour who happens to have access to your WLAN overhears you writing down your (complex) password over the phone and would try to use that to access the RAS server secured by RAS-SMS, he would fail because he would need your cell phone to succeed. In addition to that you would be alerted something is quite wrong, because you would suddenly start receiving codes on your cell phone without having asked for them.

Sourceforge ras-sms home page