Manual:Security: Difference between revisions

Latest revision as of 09:00, 20 August 2021

This article describes security measures in RouterOS user authentication. The article applies to RouterOS v6.45 and newer.

All passwords on the router are hashed (SHA256) and encrypted (ECC);
all RADIUS authentications (ssh,local,winbox,webfig,btest,telnet) will use MS-CHAPv2;
WinBox uses EC-SRP5 for key exchange and authentication (requires latest WinBox version), both sides verify that other side knows password (no man in the middle attack is possible);
WinBox in ROMON mode requires that agent is the latest version to be able to connect to latest version routers;
WinBox uses AES128-CBC-SHA as encryption algorithm (requires new WinBox version);
Bandwidth-test uses EC-SRP5 for authentication, older version bandwidth-test clients can connect to newer version server only in no-authentication mode;
MAC telnet uses EC-SRP5 for authentication, to connect to newer server, client needs to be upgraded;
WebFig uses ECDH for encryption key exchange;
Backup by default does not encrypt backup file, password now needs to be provided explicitly to encrypt it;

@@ Line 6: / Line 6: @@
 * WinBox in ROMON mode requires that agent is the latest version to be able to connect to latest version routers;
 * WinBox uses AES128-CBC-SHA as encryption algorithm (requires new WinBox version);
-* Bandwidht-test uses EC-SRP5 for authentication, older version bandwidth-test clients can connect to newer version server only in no-authentication mode;
+* Bandwidth-test uses EC-SRP5 for authentication, older version bandwidth-test clients can connect to newer version server only in no-authentication mode;
 * MAC telnet uses EC-SRP5 for authentication, to connect to newer server, client needs to be upgraded;
 * WebFig uses ECDH for encryption key exchange;
 * Backup by default does not encrypt backup file, password now needs to be provided explicitly to encrypt it;