Lecture 3.1: Handling Remote Access: RADIUS Motivation

More documents

Recommendations

Info

Message-Authenticator Message Authenticator Message signature Primarily for Access-Request messages Since they are not authenticated Of course can be used also in Reject/Accept/Challenge packets MUST be used when EAP used with RADIUS (RFC 2869) May (of course) be used with other authentication methods Usual attribute syntax Type=80 Len=18 Authenticator (16 bytes) Authenticator = HMAC-MD5(whole packet) = HMAC-MD5(type | ID | len | RequestAuth | attributes) In computation, Authenticator = 0000.0000.0000.0000 Shared secret used as key for the HMAC-MD5 hash Giuseppe Bianchi RespAuth Attack to shared secret Attack to the shared secret based on the Response Authenticator RespAuth = MD5(Code | ID | Length | RequestAuth | Attributes | Secret) Secret placed at the end: very bad idea!! Pre-computation of MD5 state for (Code | ID | Length | RequestAuth | Attributes) reduces the computational requirement for a successful offline exhaustive search attack Giuseppe Bianchi 16
Attack to shared secret based on User-Password User Password attribute XOR (password) Arbitrary User-ID Arbitrary Password (< 16 bytes) Giuseppe Bianchi NAS Access-Request User-Password attribute (16 bytes) Request Authenticator (16 bytes) MD5(secret, RequestAuth) RADIUS server Attack to the shared secret based on the User-Password attribute Exhaustive search attack But pre-computation of MD5 state not possible here, as secret is first Offline dictionary attacks Their “effectiveness” depends on chosen secret (Often ignored) advice from RFC 2865: “The secret (password shared between the client and the RADIUS server) SHOULD be at least as large and unguessable as a well-chosen password. It is preferred that the secret be at least 16 octets. This is to ensure a sufficiently large range for the secret to provide protection against exhaustive search attacks. The secret MUST NOT be empty (length 0) since this would allow packets to be trivially forged.” Many implementations only allow shared-secrets that are ASCII characters, and less than 16 characters; resulting RADIUS shared secrets are low entropy! Giuseppe Bianchi 17
Page 1 and 2: Giuseppe Bianchi Lecture 3.1: Handl
Page 3 and 4: RADIUS Security features Per-packet
Page 5 and 6: packet format Code: type of radius
Page 7 and 8: Native User-Password Step 1: paddin
Page 9 and 10: PPP CHAP support with RADIUS CHAP
Page 11 and 12: Properties of a good hash function
Page 13 and 14: Message digest size Must be conside
Page 15: RADIUS Security Weaknesses Recommen
Page 19 and 20: poor PRNG implementations Attack to
Page 21 and 22: Giuseppe Bianchi Giuseppe Bianchi A
Page 23 and 24: Why “duplicating duplicating”
Page 25: Diameter improvements at a glance /

Lecture 3.1: Handling Remote Access: RADIUS Motivation

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?