Lecture 3.1: Handling Remote Access: RADIUS Motivation

More documents

Recommendations

Info

Why length? length? (expansion ( expansion attack) attack Otherwise trivial to “extend” the message! Especially critical if secret at the beginning Example: start from MD5(k | x), k unknown secret Append y To compute MD5(k | x | y) use iterative Merkle construction! No need to know k!!! But Length (Damgard) strengthening can somewhat easily be fooled A strong reason to use different constructs (HMAC) http://csrc.nist.gov/pki/HashWorkshop/2005/Nov1_Presentations/Puniya_hashDesign.pdf Giuseppe Bianchi Giuseppe Bianchi HMAC-MD5 HMAC MD5 HMAC K (M) = H(K + XOR opad || H(K + XOR ipad || M)) K + = shared key padded to hash basic block size » When H=MD5, padding to 512 bits opad = 0x36 = 00110110 repeated as needed ipad = 0x5C = 01011100 repeated as needed Why HMAC and not just a Hash? Hash H: applies to known message; does not assume any secret key Including secret key in Hash: At 1996: many naive approaches » e.g. secret as IV, or secret in the message as Radius Response Authenticator ☺ But none was backed-up by theoretical results HMAC introduced for the following reasons: quantitatively proven robustness: as secure as its underlying hash is » see Bellare, Canetti, Krawcxykz, Keying Hash Functions for Message Authentication Practical and flexible (you may change the underying hash with more robust one) Efficient computation 14
RADIUS Security Weaknesses Recommended reading: Joshua Hill, “An analysis of the RADIUS Authentication Protocol” Giuseppe Bianchi Vulnerable to message sniffing and modification Clear-text protocol privacy issues User-Name, Calling-Station-ID, NAS identification, location attributes sent in the clear Access-Request not authenticated Attacker may intercept (e.g. MITM) an Access- Request and change its contents effortless Access requests may be forged Solution proposed Message-Authenticator attribute To be mandatorily used with EAP only, though More later on EAP Giuseppe Bianchi 15
Page 1 and 2: Giuseppe Bianchi Lecture 3.1: Handl
Page 3 and 4: RADIUS Security features Per-packet
Page 5 and 6: packet format Code: type of radius
Page 7 and 8: Native User-Password Step 1: paddin
Page 9 and 10: PPP CHAP support with RADIUS CHAP
Page 11 and 12: Properties of a good hash function
Page 13: Message digest size Must be conside
Page 17 and 18: Attack to shared secret based on Us
Page 19 and 20: poor PRNG implementations Attack to
Page 21 and 22: Giuseppe Bianchi Giuseppe Bianchi A
Page 23 and 24: Why “duplicating duplicating”
Page 25: Diameter improvements at a glance /

Lecture 3.1: Handling Remote Access: RADIUS Motivation

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?