RADIUS

Georgy Melamed

Eran Stiller

RADIUS 2

In This Presentation…

Why Do We Need It?

What is RADIUS?

RADIUS Operation

RADIUS Packets

Operation Examples

Attacks on RADIUS

RADIUS’ EAP Support

RADIUS 3

Why Do We Need It?

Embedded Network Devices

Multiple Users & WorkstationsSimple Network Access Servers (NAS)Central User AdministrationUser Roaming

Protection Against Sniffing / Active Attacker

RADIUS 4

What is RADIUS?

Remote Authentication Dial-In User Service

Key Features: Client / Server Model Network Security Flexible Authentication Methods Extensible Protocol

De-Facto Standard For Remote Authentication

RADIUS 5

What is RADIUS?

Application

TCP / UDP

IP

Link

Physical

RADIUS

RADIUS 6

RADIUS Operation

RADIUS Server

RADIUS Client(NAS – Network Access Server)

Dial-In User

LAN / WAN

Dial-In

RADIUS 7

RADIUS Operation

RADIUS Uses UDP. Why?Significantly Different Timing Requirements

However, retransmission capabilities are still needed

Stateless ProtocolClients and servers come and go

Simplifies Server Implementation

Keep-Alives Considered Harmful

RADIUS 8

RADIUS Operation

Operation ModesUser-Name / PasswordChallenge / Response Interoperation with PAP and CHAPProxy

RADIUS 9

RADIUS Packets1 Byte 1 Byte 2 Bytes

Code Identifier Length

Authenticator

Attributes…

4 Words

RADIUS 10

RADIUS Packets

Packet TypesAccess-RequestAccess-AcceptAccess-RejectAccess-Challenge

RADIUS 11

RADIUS Packets

The AuthenticatorRequest Authenticator

Unpredictable and unique over the lifetime of a secret

Used for user-password hidingResponse Authenticator

Calculated by an MD-5 hash:

MD5(Code + ID + Length + RequestAuth + Attributes + Secret)

RADIUS 12

Examples

User Telnet To Specified Host

User Authenticating With CHAP

User With Challenge-Response Card

RADIUS 13

Attacks On RADIUS

Weaknesses Of The Protocol

Operation ModesUser Name / Password ModeChallenge / Response Mode

RADIUS 14

Attacks On RADIUS

Response Authenticator Based Shared Secret Attack Attacker listens to requests and server responses,

and pre-compute MD5 state, which is the prefix of the response authenticator:

MD5(Code+ID+Length+ReqAuth+Attrib) Perform an exhaustive search on shared secret,

adding it to the above MD5 state each time. Many implementations receive shared secret as an

ASCII string from keyboard, and limit size to 16 bytes.

RADIUS 15

Attacks On RADIUS

User-Password Attribute Based Shared Secret Attack The attacker attempts a connection to the NAS,

and intercepts the access-request. XORs the user password attribute with the

password he used to obtain:MD5(Secret+ReqAuth)

Perform an exhaustive search on shared secret. Cannot pre-compute MD5 state. Finding the MD5 value, is useful for other attacks.

RADIUS 16

Attacks On RADIUS

User-Password Based Password Attack The attacker attempts a connection to the NAS,

intercepts the access-request and computes MD5(Secret+ReqAuth).

Performs an exhaustive / dictionary attack on password, XORing it with above MD5 and sending it each time in appropriate attribute.

Bypasses any login restriction imposed by NAS.

Possible due to no authentication on request packet.

RADIUS 17

Attacks On RADIUS

Request Authenticator Based AttacksPossible due to bad implementations:

Poor Pseudo Random Number GeneratorPredictable Request ID

RADIUS 18

Attacks On RADIUS

Request Authenticator Based Attacks Passive User-Password Compromise through

Repeated Request Authenticators Attacker builds a dictionary of ReqAuth and user-

password attribute sent by NAS. When a ReqAuth repeats itself, attacker can XOR user-

password attributes and obtain:

password1 XOR password2

Perform a dictionary attack, combined with the fact that the longer password is padded with 0’s, causing the other password’s characters XORed with it to remain unchanged.

RADIUS 19

Attacks On RADIUS

Request Authenticator Based AttacksActive User-Password Compromise

through Repeated Request AuthenticatorsAttacker builds a dictionary as before.When he predicts he can cause NAS to use a

certain ReqAuth, he tries to connect it and intercepts access-request.

Calculates “password1 XOR password2”, but this time password2 is known, thus user password is compromised.

RADIUS 20

Attacks On RADIUS

Request Authenticator Based Attacks Replay of Server Responses through Repeated

Request Authenticators The attacker builds a dictionary with ReqAuth, ID and

entire server response. Most server responses will be access-accept. The attacker will attempt a connection to NAS, predicting

the ReqAuth and ID, intercept the access-request, and inject the NAS with the packet from the dictionary which is an access-accept, and has same ReqAuth and ID.

RADIUS 21

Attacks On RADIUS

Request Authenticator Based AttacksDoS Arising from the Prediction of the

Request AuthenticatorMuch like previous attack.This time, attacker connects to NAS many

times, and building same dictionary as before, only this time with access-rejects.

When user tries to connect, and NAS uses repeated ReqAuth, the attacker injects his access-reject, causing a denial of service.

RADIUS 22

Attacks On RADIUS

SummaryUser-Password Protection TechniqueThe Response-AuthenticatorAccess-Request PacketsRandom Number GeneratorsShared Secrets

RADIUS 23

RADIUS’ EAP Support

RADIUS-Encapsulated EAP Packets

Proprietary Protocol Between RADIUS Server and Backend Security Server

Proxied RADIUS requests

Retransmission and Fragmentation Issues

RADIUS 24

RADIUS’ EAP Support

Security ConsiderationsSeparation of EAP Server and PPP

AuthenticatorConnection HijackingMan-in-the-Middle AttackMultiple DatabasesNegotiation Attacks

RADIUS 25

Conclusion

RADIUS is a remote authentication protocol.RADIUS is a de-facto standard for remote authentication.RADIUS has several weaknesses.RADIUS is an extensible protocol, and can support many authentication methods (e.g. EAP).

RADIUS 26

What Next?

Diameter"Diameter clients, such as Network Access

Servers (NASes) and Foreign Agents MUST support IP Security, and MAY support TLS. Diameter servers MUST support TLS, but the administrator MAY opt to configure IPSec instead of using TLS. Operating the Diameter protocol without any security mechanism is not recommended."

RADIUS 27

Questions

?