Lecture 3.1: Handling Remote Access: RADIUS Motivation
Lecture 3.1: Handling Remote Access: RADIUS Motivation
Lecture 3.1: Handling Remote Access: RADIUS Motivation
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Message-Authenticator<br />
Message Authenticator<br />
Message signature<br />
Primarily for <strong>Access</strong>-Request messages<br />
Since they are not authenticated<br />
Of course can be used also in Reject/Accept/Challenge<br />
packets<br />
MUST be used when EAP used with <strong>RADIUS</strong> (RFC 2869)<br />
May (of course) be used with other authentication methods<br />
Usual attribute syntax<br />
Type=80 Len=18 Authenticator (16 bytes)<br />
Authenticator =<br />
HMAC-MD5(whole packet) =<br />
HMAC-MD5(type | ID | len | RequestAuth | attributes)<br />
In computation, Authenticator = 0000.0000.0000.0000<br />
Shared secret used as key for the HMAC-MD5 hash<br />
Giuseppe Bianchi<br />
RespAuth Attack to shared secret<br />
Attack to the shared secret based on the<br />
Response Authenticator<br />
RespAuth =<br />
MD5(Code | ID | Length | RequestAuth | Attributes | Secret)<br />
Secret placed at the end: very bad idea!!<br />
Pre-computation of MD5 state for<br />
(Code | ID | Length | RequestAuth | Attributes)<br />
reduces the computational requirement for a successful<br />
offline exhaustive search attack<br />
Giuseppe Bianchi<br />
16