Manual:Security: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
(Created page with "This article describes security measures in RouterOS user authentication. The article applies to RouterOS v6.45 and newer. * All passwords on the router are hashed (SHA256)...")
 
No edit summary
 
Line 6: Line 6:
* WinBox in ROMON mode requires that agent is the latest version to be able to connect to latest version routers;
* WinBox in ROMON mode requires that agent is the latest version to be able to connect to latest version routers;
* WinBox uses AES128-CBC-SHA as encryption algorithm (requires new WinBox version);
* WinBox uses AES128-CBC-SHA as encryption algorithm (requires new WinBox version);
* Bandwidht-test uses EC-SRP5 for authentication, older version bandwidth-test clients can connect to newer version server only in no-authentication mode;
* Bandwidth-test uses EC-SRP5 for authentication, older version bandwidth-test clients can connect to newer version server only in no-authentication mode;
* MAC telnet uses EC-SRP5 for authentication, to connect to newer server, client needs to be upgraded;
* MAC telnet uses EC-SRP5 for authentication, to connect to newer server, client needs to be upgraded;
* WebFig uses ECDH for encryption key exchange;
* WebFig uses ECDH for encryption key exchange;
* Backup by default does not encrypt backup file, password now needs to be provided explicitly to encrypt it;
* Backup by default does not encrypt backup file, password now needs to be provided explicitly to encrypt it;

Latest revision as of 07:00, 20 August 2021

This article describes security measures in RouterOS user authentication. The article applies to RouterOS v6.45 and newer.

  • All passwords on the router are hashed (SHA256) and encrypted (ECC);
  • all RADIUS authentications (ssh,local,winbox,webfig,btest,telnet) will use MS-CHAPv2;
  • WinBox uses EC-SRP5 for key exchange and authentication (requires latest WinBox version), both sides verify that other side knows password (no man in the middle attack is possible);
  • WinBox in ROMON mode requires that agent is the latest version to be able to connect to latest version routers;
  • WinBox uses AES128-CBC-SHA as encryption algorithm (requires new WinBox version);
  • Bandwidth-test uses EC-SRP5 for authentication, older version bandwidth-test clients can connect to newer version server only in no-authentication mode;
  • MAC telnet uses EC-SRP5 for authentication, to connect to newer server, client needs to be upgraded;
  • WebFig uses ECDH for encryption key exchange;
  • Backup by default does not encrypt backup file, password now needs to be provided explicitly to encrypt it;