[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

A bit of background on [RFC3580] Section 5.3

To: radiusext@ops.ietf.org
Subject: A bit of background on [RFC3580] Section 5.3
From: Bernard Aboba <aboba@internaut.com>
Date: Sat, 10 Sep 2005 22:17:02 -0700 (PDT)
In-reply-to: <Pine.LNX.4.61.0509080006590.28952@internaut.com>
References: <Pine.LNX.4.61.0509080006590.28952@internaut.com>

A bit about the intent of the cited sentence in [RFC3580] 
Section 5.3. 

Section 5.3 relates to known plaintext attacks against PAP, 
where the attacker attempts to authenticate to a NAS and 
then collects the User-Password attribute sent by the RADIUS client, 
in order to derive the keystream used for attribute hiding. 
This attack is easy to mount because RFC 2865 does not require
that the RADIUS Access-Request be integrity protected.  

Since the User-Password keystream is a function of the Shared 
Secret and the Request Authenticator, a user's password should
be considered compromised if the Request Authenticator 
(User-Password) repeats on any NAS utilizing a given RADIUS 
shared secret. 

In order to prevent this attack, RFC 2865 requires the 
Request Authenticator to be globally and temporally unique,
but not all NASes satisfy this requirement.  For example,
a NAS can attempt to satisfy the global uniqueness property
by utilizing the IP address in the high order bits of the
RA and then utilizing a pseudo-random number in the low
order bits.  However, not all NAS devices have sufficient
entropy to produce high quality pseudo-random numbers. 

If in addition, the same RADIUS shared secret is used on
for more than one NAS, the chance of compromise increases
significantly. 
 
Once an attacker has compromised user passwords, they can
gain access to all media which utilize those credentials,
enabling known plaintext attacks on other hidden attributes
such as Tunnel-Password and MPPE-Keys. 

These other hidden attributes cannot be attacked by an
unauthenticated attacker because these attributes are only
sent in an Access-Accept, which implies a successful
authentication.  So the attacker must first obtain
access to compromised passwords before trying this more
difficult attack. 

However, once this attacks collects sufficient keystream
material, if the RA + salt ever repeats on a NAS utilizing
a given shared secret, then the EAP MSK or Tunnel-Password
is compromised. 

As a result, Section 5.3 is attempting to discourage the 
use of PAP and the potential cascading vulnerablities that
can result. 

If PAP cannot be deprecated entirely, then it is best if its 
use is isolated to accounts that have limited access rights.  
Also, EAP made a conscious decision not to support PAP, 
so re-introduction of PAP support into EAP is undesirable. 

If these principles are followed, it possible to limit the 
use of PAP without forcing a RADIUS proxy to utilize a 
different IP address for PAP and EAP authentication.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: A bit of background on [RFC3580] Section 5.3
  - From: Emile van Bergen <openradius-radextwg@e-advies.nl>
- Re: A bit of background on [RFC3580] Section 5.3
  - From: "Alan DeKok" <aland@ox.org>

References:
- REMINDER: Call for review of RFC 2618bis-2621bis
  - From: Bernard Aboba <aboba@internaut.com>

Prev by Date: RE: REMINDER: Call for review of RFC 2618bis-2621bis
Next by Date: RADIUS Digest Authentication: FINAL REVIEW COMPLETED
Previous by thread: REMINDER: Call for review of RFC 2618bis-2621bis
Next by thread: Re: A bit of background on [RFC3580] Section 5.3
Index(es):
- Date
- Thread