Lecture 3.1: Handling Remote Access: RADIUS Motivation
Lecture 3.1: Handling Remote Access: RADIUS Motivation
Lecture 3.1: Handling Remote Access: RADIUS Motivation
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Attacking the password of a user<br />
FIRST STEP: as previous case, but with valid user ID: <strong>RADIUS</strong> server<br />
Victim User-ID<br />
NAS<br />
<strong>Access</strong>-Request<br />
XOR (password)<br />
Arbitrary Password (< 16 bytes)<br />
Giuseppe Bianchi<br />
User-Password attribute (16 bytes)<br />
MD5(secret, RequestAuth)<br />
SECOND STEP: Attacker now able to “encrypt” the user password!! May exploit:<br />
1) lack of upper limit on authentication rate at server-side (limits imposed on clients<br />
are by-passed)<br />
2) <strong>RADIUS</strong> servers typically do not check for authenticator reuse<br />
Works only with 16 or less byte passwords (most cases)<br />
Giuseppe Bianchi<br />
Spoofed <strong>Access</strong>-Request, with:<br />
New-passwords XOR MD5(secret, RequestAuth)<br />
poor PRNG implementations<br />
Replay Attacks<br />
Security of radius depends on the uniqueness and<br />
non-predictable generation of the Request<br />
Authenticator<br />
Some implementations exploit poor Pseudo-Random<br />
Number Generators (PRNGs)<br />
Short cycles, predictable<br />
Immediate exploitation: replay attack:<br />
authenticate/authorize an illegal user with no valid<br />
password<br />
Valid users NAS<br />
<strong>Access</strong>-Request (Request authenticator)<br />
<strong>Access</strong>-Accept (Response authenticator)<br />
Dictionary of ReqAuth/RespAuth<br />
<strong>Access</strong>-Request (ReqAuth in dictionary)<br />
<strong>Access</strong>-Accept (corresponding RespAuth)<br />
18