Lecture 3.1: Handling Remote Access: RADIUS Motivation
Lecture 3.1: Handling Remote Access: RADIUS Motivation
Lecture 3.1: Handling Remote Access: RADIUS Motivation
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
poor PRNG implementations<br />
Attack to Customer passwords /1<br />
Passively monitor the network traffic allows to build a dictionary of Request Authenticators<br />
and the associated (protected) User-Password attributes<br />
Valid users NAS<br />
<strong>Access</strong>-Request (Request authenticator)<br />
Dictionary of ReqAuth/User-Password<br />
Repeated Request Authenticator observed<br />
XOR previous user-password with new user-password<br />
From different users<br />
Result: since ReqAuth is the same<br />
(user-password #1) XOR (user-Password #2) =<br />
= [pw_user1 XOR MD5(secret,ReqAuth)] XOR [ps_user2 XOR MD5(secret,ReqAuth)] =<br />
= pw_user1 XOR pw_user2<br />
BUT passwords from different users differ in length:<br />
last characters of longer password are put in clear!!<br />
Password sizes are known!!<br />
Now intelligent dictionary attack (guided by improper habits to select<br />
passwords with low entropy) may clear passwords<br />
Giuseppe Bianchi<br />
poor PRNG implementations<br />
Attack to Customer passwords /2<br />
ACTIVELY submit known passwords to add known passwords to the dictionary of Request<br />
Authenticators and the associated (protected) User-Password attributes<br />
Arbitrary pw NAS<br />
Giuseppe Bianchi<br />
<strong>Access</strong>-Request (Request authenticator)<br />
Dictionary of ReqAuth/User-Password<br />
If customer <strong>Access</strong>-Request uses a Request<br />
Authenticator already in the dictionary linked to a<br />
KNOWN password, customer password gets known!<br />
Since ReqAuth is the same<br />
(User-password from customer) XOR (user-Password from attacker) =<br />
= [pw_user XOR MD5(secret,ReqAuth)] XOR<br />
[known_pw XOR MD5(secret,ReqAuth)] =<br />
= pw_user XOR known_pw pw_user in clear<br />
19