Manual:Security: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
(Created page with "This article describes security measures in RouterOS user authentication. The article applies to RouterOS v6.45 and newer. * All passwords on the router are hashed (SHA256)...")
(No difference)

Revision as of 07:09, 31 May 2019

This article describes security measures in RouterOS user authentication. The article applies to RouterOS v6.45 and newer.

  • All passwords on the router are hashed (SHA256) and encrypted (ECC);
  • all RADIUS authentications (ssh,local,winbox,webfig,btest,telnet) will use MS-CHAPv2;
  • WinBox uses EC-SRP5 for key exchange and authentication (requires latest WinBox version), both sides verify that other side knows password (no man in the middle attack is possible);
  • WinBox in ROMON mode requires that agent is the latest version to be able to connect to latest version routers;
  • WinBox uses AES128-CBC-SHA as encryption algorithm (requires new WinBox version);
  • Bandwidht-test uses EC-SRP5 for authentication, older version bandwidth-test clients can connect to newer version server only in no-authentication mode;
  • MAC telnet uses EC-SRP5 for authentication, to connect to newer server, client needs to be upgraded;
  • WebFig uses ECDH for encryption key exchange;
  • Backup by default does not encrypt backup file, password now needs to be provided explicitly to encrypt it;
Retrieved from "https://wiki.mikrotik.com/index.php?title=Manual:Security&oldid=33310"