Académique Documents
Professionnel Documents
Culture Documents
11-01/TBD
Outline
Attribute Hiding
• User-Password (RFC 2865)
– Utilized for PPP PAP authentication (now deprecated)
• PAP now most frequently used with token card authentication
– Also utilized for HTTP Basic authentication
– Cleartext authentication not supported within EAP, so User-Password attributes
are never sent in IEEE 802.1X authentication over RADIUS
– Key stream generated from RADIUS shared secret and 128-bit request authenticator
• B1 = MD5(Secret + RA)
• Bi = MD5(S + c(i-1))
– Ciphertext based on XOR’ing keystream with the cleartext password
• Ci = Pi XOR Bi
• Pi = ith 128-bit block of the password
• Tunnel-Password (RFC 2868)
– Similar to User-Password hiding scheme
• B1 = MD5(Secret + RA + Salt), Salt=16-bit unsigned integer
• Salt unique within each Access-Accept, left-most bit must be set
– MS-MPPE-Send-Key, MS-MPPE-Recv-Key
• MAY be used to transmit EAP keys
• Uses mechanism similar to Tunnel-Password scheme
– B1 = MD5(Secret + RA + Salt), Salt=16-bit unsigned integer
– Salt unique within each Access-Accept, left-most bit must be set
RADIUS Vulnerabilities
• Details available at: http://www.untruth.org/~josh/security/radius
• Offline dictionary attack on RADIUS Shared Secret via RFC 2865 Response Authenticator or RFC 2866
Request or Response Authenticators
– Many implementations only allow shared-secrets that are ASCII characters, and less than 16 characters; resulting RADIUS
shared secrets are low entropy!
– Attacker can capture Access-Request/Response or Accounting-Request or Accounting-Response for an offline dictionary
attack
– MD5 state can be pre-computed so dictionary attack is efficient
• Offline dictionary attack on RADIUS Shared Secret via EAP-Message attribute
– Attacker can attempt offline attack on any packet with an EAP-Message attribute
– HMAC-MD5 usage in EAP-Message attribute makes the attack more expensive, so Response Authenticator is weakest
link.
• Real-time decryption of hidden attributes
– An attacker authenticating via PAP can, by collecting RADIUS Access-Request packets, determine the keystream used to
protect the User-Password attribute
– Enables the attacker to collect Request Authenticators/IDs and corresponding key streams
– For each captured keystream, attacker can generate new keystreams for each Salt Value
– As table of RA/ID/Salt values increases, real-time decryption of User-Password, Tunnel-Password, MPPE-Key attributes
becomes possible
– Note: Where PAP is not used (such as in EAP authentication), attack against User-Password not possible
• Known plaintext attack against Tunnel-Password
– An attacker cracking a User-Password can send a forged Access-Request, receive back a Access-Response containing a
tunnel password attribute and salt
– Since MD5(Secret+RA) is known, as is Salt, it is possible to immediately calculate MD5(Secret+RA+Salt)
– Tunnel-Password is immediately compromised!
Summary – Vulnerabilities
PPP PPP PPP/802 PPP/802
Attack PAP CHAP EAP-MD5 EAP-TLS/SRP
Offline dictionary attack on RADIUS shared secret X X X X
Real-time decryption of hidden attributes ?
Offline dictionary attack on CHAP Response X X
Online attack against password X X
Forged Access-Request packets X X
Replay of Access-Accept/Reject packets ? ? ? ?
Suggested Fixes
• Don’t allow PAP
– EAP authentication already requires this (no PAP support)
• Use credible generator for Request Authenticator (see RFC 1750)
• Use RADIUS over IPsec ESP with a non-null transform (RFC 3162)
• Inclusion of Message-Authenticator attribute in all packets
– RFC 2869 already requires this for EAP authentication
• Use a high-entropy RADIUS shared secret
– Don’t limit shared secret to 16 characters
– Utilize a randomly generated shared secret
• Use of a different shared secret for each RADIUS client-server pair
Feedback?