[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Summary: RADIUS Attribute Hiding

To: Bernard Aboba <aboba@internaut.com>
Subject: Re: Summary: RADIUS Attribute Hiding
From: Barney Wolff <barney@databus.com>
Date: Sat, 1 Jan 2005 14:51:14 -0500
Cc: radiusext@ops.ietf.org
In-reply-to: <Pine.LNX.4.56.0501011027460.20349@internaut.com>
References: <Pine.LNX.4.56.0501011027460.20349@internaut.com>
User-agent: Mutt/1.5.6i

On Sat, Jan 01, 2005 at 10:40:54AM -0800, Bernard Aboba wrote:
> 
> RFC 2548, Section 2.4.2: MS-MPPE-Send-Key
> 
>          Call the shared secret S, the pseudo-random 128-bit Request
>          Authenticator (from the corresponding Access-Request packet) R,
>          and the contents of the Salt field A.  Break P into 16 octet
>          chunks p(1), p(2)...p(i), where i = len(P)/16.  Call the
>          ciphertext blocks c(1), c(2)...c(i) and the final ciphertext C.
>          Intermediate values b(1), b(2)...c(i) are required.  Encryption
>          is performed in the following manner ('+' indicates
>          concatenation):
> 
>       b(1) = MD5(S + R + A)    c(1) = p(1) xor b(1)   C = c(1)
>       b(2) = MD5(S + c(1))     c(2) = p(2) xor b(2)   C = C + c(2)
>                   .                      .
>                   .                      .
>                   .                      .
>       b(i) = MD5(S + c(i-1))   c(i) = p(i) xor b(i)   C = C + c(i)
> 
>       The   resulting   encrypted   String   field    will    contain
>       c(1)+c(2)+...+c(i).
> 
>    On receipt, the process is reversed to yield the plaintext String.
> 
> 
> [BA] In the situation where a known plaintext attack has been carried out
> and the keystream b1=MD5 (S + R) has been determined, the above salt
> construction does not help much, since the MD5 calculation can be
> continued using the salt field A, which is sent in the clear.  Therefore,
> an attacker can determine the first 16 octets of the Tunnel-Password,
> using the calculated keystream b1'=MD5(S + R + A).

I don't think this is correct.  MD5 pads the bitstring to be hashed, so
it's not obvious (to me) how to compute MD5(S+R+A) given MD5(S+R).
Am I missing something here?

But of course I agree with the general point, which is that future RADIUS
work should use standard crypto rather than attempting amateur invention.

Regards,
Barney

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- Summary: RADIUS Attribute Hiding
  - From: Bernard Aboba <aboba@internaut.com>

Prev by Date: Summary: RADIUS Attribute Hiding
Next by Date: Re: Comments on draft-decnodder-radext-dynauth-client-mib-02.txt
Previous by thread: Summary: RADIUS Attribute Hiding
Next by thread: Re: Summary: RADIUS Attribute Hiding
Index(es):
- Date
- Thread