Lecture 3.1: Handling Remote Access: RADIUS Motivation
Lecture 3.1: Handling Remote Access: RADIUS Motivation
Lecture 3.1: Handling Remote Access: RADIUS Motivation
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Why length? length?<br />
(expansion<br />
( expansion attack) attack<br />
Otherwise trivial to “extend” the message!<br />
Especially critical if secret at the beginning<br />
Example: start from MD5(k | x), k unknown secret<br />
Append y<br />
To compute MD5(k | x | y) use iterative Merkle construction!<br />
No need to know k!!!<br />
But Length (Damgard) strengthening can<br />
somewhat easily be fooled<br />
A strong reason to use different constructs (HMAC)<br />
http://csrc.nist.gov/pki/HashWorkshop/2005/Nov1_Presentations/Puniya_hashDesign.pdf<br />
Giuseppe Bianchi<br />
Giuseppe Bianchi<br />
HMAC-MD5<br />
HMAC MD5<br />
HMAC K (M) = H(K + XOR opad || H(K + XOR ipad || M))<br />
K + = shared key padded to hash basic block size<br />
» When H=MD5, padding to 512 bits<br />
opad = 0x36 = 00110110 repeated as needed<br />
ipad = 0x5C = 01011100 repeated as needed<br />
Why HMAC and not just a Hash?<br />
Hash H: applies to known message; does not assume any secret key<br />
Including secret key in Hash:<br />
At 1996: many naive approaches<br />
» e.g. secret as IV, or secret in the message as Radius Response Authenticator ☺<br />
But none was backed-up by theoretical results<br />
HMAC introduced for the following reasons:<br />
quantitatively proven robustness: as secure as its underlying hash is<br />
» see Bellare, Canetti, Krawcxykz, Keying Hash Functions for Message Authentication<br />
Practical and flexible (you may change the underying hash with more robust one)<br />
Efficient computation<br />
14
Change language