Doc.: IEEE 802.11-01/TBD Submission November 2001 Warren Barkley, Tim Moore, Bernard Aboba/Microsoft IEEE 802.1X and RADIUS Security Bernard Aboba Ashwin.

Slides:

Advertisements

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Advertisements

Doc.: IEEE /253 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 WEP2 Security Analysis Bernard Aboba Microsoft.

Lecture 5: Cryptographic Hashes

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering.

Rick Graziani PPP authentication protocols 1. Link establishment - (LCPs) 2. Authentication - Optional (LCPs) 3. Link quality determination.

Web Security CS598MCC Spring 2013 Yiwei Yang. Definition a set of procedures, practices, and technologies for assuring the reliable, predictable operation.

What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.

CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)

Cryptography. 2 Objectives Explain common terms used in the field of cryptography Outline what mechanisms constitute a strong cryptosystem Demonstrate.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Implementation of a Two-way Authentication Protocol Using Shared Key with Hash CS265 Sec. 2 David Wang.

1 MD5 Cracking One way hash. Used in online passwords and file verification.

Wired Equivalent Privacy (WEP)

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Protected Extensible Authentication Protocol

Ariel Eizenberg PPP Security Features Ariel Eizenberg

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

IEEE Wireless Local Area Networks (WLAN’s).

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

Georgy Melamed Eran Stiller

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Radius Dave Grizzanti Steve Curti. What is RADIUS? Remote Authentication Dial-In User Service (RADIUS) is a protocol for remote user authentication and.

WLAN security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.

Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 20 RADIUS and Internet Authentication Service.

Submission August 2001 Nancy Cam-Winget, Atheros Slide 1 Rapid Re-keying WEP a recommended practice to improve WLAN Security Nancy Cam-Winget, Atheros.

Mobile and Wireless Communication Security By Jason Gratto.

Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),

Wireless Networking.

Wireless Security Beyond WEP. Wireless Security Privacy Authorization (access control) Data Integrity (checksum, anti-tampering)

1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

Prepared by They Yu Shu Lee Ern Yu.  Motivation  Previous Work  Remaining Issues  Improvement.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

Intercepting Mobile Communications: The Insecurity of Nikita Borisov Ian Goldberg David Wagner UC Berkeley Zero-Knowledge Sys UC Berkeley Presented.

The Misuse of RC4 in Microsoft Office A paper by: Hongjun Wu Institute for Infocomm Research, Singapore ECE 578 Matthew Fleming.

RADIUS Shared Secret Security Amplification A practical approach to improved security draft-funk-radiusext-shared-secret-amp-00.txt.

WEP Protocol Weaknesses and Vulnerabilities

EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba

Doc.: IEEE /034r1 Submission March 2000 Dan Simon, Bernard Aboba, Tim Moore, Microsoft IEEE Security and 802.1X Dan Simon

Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.

WEP, WPA, and EAP Drew Kalina. Overview  Wired Equivalent Privacy (WEP)  Wi-Fi Protected Access (WPA)  Extensible Authentication Protocol (EAP)

IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.

Doc.: IEEE /524r0 Submission November 2001 Bernard Aboba, MicrosoftSlide 1 Secure Remote Password (SRP) Bernard Aboba Dan Simon Tim Moore Microsoft.

Cody Brookshear Andy Borman

AAA Services Authentication -Who ? -Management of the user’s identity Authorization -What can the user do? -Management of the granted services Accounting.

EAP Keying Framework Draft-aboba-pppext-key-problem-06.txt EAP WG IETF 56 San Francisco, CA Bernard Aboba.

1 Wireless Threats 1 – Cracking WEP Cracking WEP in Chapter 5 of Wireless Maximum Security by Peikari, C. and Fogie, S.

RADIUS Protocol Sowjanya Talasila Shilpa Pamidimukkala.

Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.

PPP Configuration.

Design Guidelines Thursday July 26, 2007 Bernard Aboba IETF 69 Chicago, IL.

802.11b Security CSEP 590 TU Osama Mazahir. Introduction Packets are sent out into the air for anyone to receive Eavesdropping is a much larger concern.

1 Radius Vulnerabilities in Wireless Overview Randy Chou - Merv Andrade - Joshua Wright -

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.

WLAN Security1 Security of WLAN Máté Szalay

Web Server Design Week 12 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/31/10.

Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.

VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.

Doc.: IEEE /251 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Secure Roaming IEEE TgF Bernard Aboba Tim Moore Microsoft.

RADIUS By: Nicole Cappella. Overview  Central Authentication Services  Definition of RADIUS  “AAA Transaction”  Roaming  Security Issues and How.

Introduction to Port-Based Network Access Control EAP, 802.1X, and RADIUS Anthony Critelli Introduction to Port-Based Network Access Control.

@Yuan Xue Case Study (Mid-term question) Bob sells BatLab Software License Alice buys BatLab Credit card information Number of.

RADIUS Security Issues

PPP – Point to Point Protocol

Presentation transcript:

doc.: IEEE /TBD Submission November 2001 Warren Barkley, Tim Moore, Bernard Aboba/Microsoft IEEE 802.1X and RADIUS Security Bernard Aboba Ashwin Palekar Microsoft

doc.: IEEE /TBD Submission November 2001 Warren Barkley, Tim Moore, Bernard Aboba/Microsoft Outline Introduction to RADIUS security RADIUS security vulnerabilities Vulnerabilities of RADIUS and IEEE 802.1X Suggested Fixes

doc.: IEEE /TBD Submission November 2001 Warren Barkley, Tim Moore, Bernard Aboba/Microsoft RADIUS Security Features RADIUS application layer security –Trust established between RADIUS clients and servers via shared secret –Support for per-packet integrity and authentication Request and Response Authenticator fields Message-Authenticator attribute –Support for hiding of specific attributes Standardized attributes: User-Password, Tunnel-Password Microsoft Vendor Specific Attributes (VSAs) –No general support for confidentiality –No support for replay protection 128-bit Authentication Request Authenticator field is pseudo-random and unpredictable –Not a counter, RADIUS servers typically do not check for reuse RADIUS over IPsec –Support for per-packet integrity, authentication, confidentiality and replay protection for both authentication and accounting packets –Usage described in RFC 3162

doc.: IEEE /TBD Submission November 2001 Warren Barkley, Tim Moore, Bernard Aboba/Microsoft Per-Packet Authentication & Integrity Authentication packets without EAP-Message attribute (RFC 2865) –No per-packet authentication for Access-Request packets Access-Request packet contains a 128-bit pseudo-random Request Authenticator (RA) In Access-Request packets, RA is really a nonce, not an Authenticator RA nonce used in hiding of user passwords sent within Access-Requests Result: Access-Request packets are not authenticated –Per-packet authentication for Access-Challenge, Access-Reject, Access- Accept packets 128-bit Response Authenticator = MD5(Code + Identifier + Length + Request Authenticator + Attributes + Shared Secret) Note: NAS-IP-Address or NAS-Identifier attributes MUST NOT be included in this calculation, since they cannot be included in Access- Challenge, Access-Reject and Access-Accept packets

doc.: IEEE /TBD Submission November 2001 Warren Barkley, Tim Moore, Bernard Aboba/Microsoft Per Packet Integrity & Authentication (cont’d) Authentication packets with EAP-Message attribute (RFC 2869) –Per-packet authentication for all packets RFC 2869 requires inclusion of the Message-Authenticator attribute within packets containing EAP-Message attributes (Access-Request, Access-Accept, Access-Reject, Access-Challenge) Message-Authenticator attribute provides per-packet authentication For Access-Request, Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, Request Authenticator, Attributes) For Access-Accept, Access-Reject, Access-Challenge, Message-Authenticator = HMAC- MD5 (Type, Identifier, Length, Request Authenticator, Attributes) Accounting packets (RFC 2866) –Per-packet authentication for Accounting-Request, Accounting-Response packets Accounting-Request Authenticator = MD5(Code + Identifier + Length + 16 zero octets + Request Attributes + Shared Secret) –NAS-IP-Address or NAS-Identifier attributes MAY be included in this calculation, 0-1 of these attributes MAY be included in the Accounting-Request (but not the Accounting-Response). Accounting-Response Authenticator = MD5(Accounting-Response Code, Identifier, Length, Accounting-Request Authenticator, Response attributes, Shared Secret)

doc.: IEEE /TBD Submission November 2001 Warren Barkley, Tim Moore, Bernard Aboba/Microsoft Attribute Hiding User-Password (RFC 2865) –Utilized for PPP PAP authentication (now deprecated) PAP now most frequently used with token card authentication –Also utilized for HTTP Basic authentication –Cleartext authentication not supported within EAP, so User-Password attributes are never sent in IEEE 802.1X authentication over RADIUS –Key stream generated from RADIUS shared secret and 128-bit request authenticator B1 = MD5(Secret + RA) Bi = MD5(S + c(i-1)) –Ciphertext based on XOR’ing keystream with the cleartext password Ci = Pi XOR Bi Pi = ith 128-bit block of the password Tunnel-Password (RFC 2868) –Similar to User-Password hiding scheme B1 = MD5(Secret + RA + Salt), Salt=16-bit unsigned integer Salt unique within each Access-Accept, left-most bit must be set

doc.: IEEE /TBD Submission November 2001 Warren Barkley, Tim Moore, Bernard Aboba/Microsoft Attribute Hiding (cont’d) Microsoft VSAs (RFC 2548) –MS-CHAP-MPPE-Keys Used to transmit MS-CHAPv1 keys Same mechanism as User-Password scheme –B1 = MD5(Secret + RA) –MS-MPPE-Send-Key, MS-MPPE-Recv-Key MAY be used to transmit EAP keys Uses mechanism similar to Tunnel-Password scheme –B1 = MD5(Secret + RA + Salt), Salt=16-bit unsigned integer –Salt unique within each Access-Accept, left-most bit must be set

doc.: IEEE /TBD Submission November 2001 Warren Barkley, Tim Moore, Bernard Aboba/Microsoft RADIUS Vulnerabilities Details available at: Offline dictionary attack on RADIUS Shared Secret via RFC 2865 Response Authenticator or RFC 2866 Request or Response Authenticators –Many implementations only allow shared-secrets that are ASCII characters, and less than 16 characters; resulting RADIUS shared secrets are low entropy! –Attacker can capture Access-Request/Response or Accounting-Request or Accounting-Response for an offline dictionary attack –MD5 state can be pre-computed so dictionary attack is efficient Offline dictionary attack on RADIUS Shared Secret via EAP-Message attribute –Attacker can attempt offline attack on any packet with an EAP-Message attribute –HMAC-MD5 usage in EAP-Message attribute makes the attack more expensive, so Response Authenticator is weakest link. Real-time decryption of hidden attributes –An attacker authenticating via PAP can, by collecting RADIUS Access-Request packets, determine the keystream used to protect the User-Password attribute –Enables the attacker to collect Request Authenticators/IDs and corresponding key streams –For each captured keystream, attacker can generate new keystreams for each Salt Value –As table of RA/ID/Salt values increases, real-time decryption of User-Password, Tunnel-Password, MPPE-Key attributes becomes possible –Note: Where PAP is not used (such as in EAP authentication), attack against User-Password not possible Known plaintext attack against Tunnel-Password –An attacker cracking a User-Password can send a forged Access-Request, receive back a Access-Response containing a tunnel password attribute and salt –Since MD5(Secret+RA) is known, as is Salt, it is possible to immediately calculate MD5(Secret+RA+Salt) –Tunnel-Password is immediately compromised!

doc.: IEEE /TBD Submission November 2001 Warren Barkley, Tim Moore, Bernard Aboba/Microsoft RADIUS Vulnerabilities (cont’d) Online dictionary attack against the PAP password –Works for RADIUS servers enabling replay of Request Authenticator (16 octets) and Identifier (only one octet) fields –By authenticating with PAP and capturing the User-Password attribute, attacker can derive the key stream for an RA and ID –Attacker can then attempt an online dictionary attack against the user password of 16 characters or less, using the same Request authenticator, Identifier and key stream. –Note: this attack is not possible if a Message-Authenticator attribute is required (such as in EAP messages) Forging –Attacker can forge RADIUS Access-Request packets (since these packets are not authenticated) –Note: this attack not possible if Message-Authenticator attribute is present (e.g. EAP Access- Request). Access-Accept/Reject Replay –Request Authenticator is a 128-bit quantity intended to be unpredictable and pseudo-random –However, not all implementations use a credible pseudo-random number generator –Same RADIUS shared secret often used on multiple NASen – implies that Request Authenticator MUST be globally and temporally unique across the entire network –If the Request Authenticator and Identifier are reused by NAS, then an attacker can replay the Access-Response (possibly to another NAS!) –Replay not confined to the original NAS, since the NAS-Identifier or NAS-IP-Address attributes MUST NOT be included in Access-Response packets.

doc.: IEEE /TBD Submission November 2001 Warren Barkley, Tim Moore, Bernard Aboba/Microsoft Is Offline Dictionary Attack on RADIUS Shared Secret Possible? Simple answer: yes Offline dictionary attack only requires capturing a single Request/Response Authenticator pair Administrators frequently choose shared secrets amenable to dictionary attack –RADIUS implementations often only allow 16 character passwords; –English dictionary words only have 1.2 bits of entropy per character Same Shared Secret often used for multiple NASen Once Shared Secret is compromised, RADIUS security ineffective –Hidden attributes can be decrypted on the fly –All packet types can be forged –But… Still need to mount offline dictionary attacks on CHAP, EAP-MD5 Doesn’t help with cracking methods invulnerable to dictionary attack, like EAP TLS or SRP

doc.: IEEE /TBD Submission November 2001 Warren Barkley, Tim Moore, Bernard Aboba/Microsoft Is Real-Time Decryption Really Possible? If Request-Authenticator is random and globally and temporally unique (as required in RFC 2865), then this attack is infeasible. –Example At 10 Gbps, 1 million NASen can send maximum of 2 billion RADIUS Access-Request/second, or quadrillion Access-Requests/year Cycling through 128-bit request authenticator space will take more than a trillion years! However, if Request Authenticator is not randomly generated, then it can repeat –Using the same shared secret on each NAS makes this more likely

doc.: IEEE /TBD Submission November 2001 Warren Barkley, Tim Moore, Bernard Aboba/Microsoft Summary – Vulnerabilities

doc.: IEEE /TBD Submission November 2001 Warren Barkley, Tim Moore, Bernard Aboba/Microsoft Suggested Fixes Don’t allow PAP –EAP authentication already requires this (no PAP support) Use credible generator for Request Authenticator (see RFC 1750) Use RADIUS over IPsec ESP with a non-null transform (RFC 3162) Inclusion of Message-Authenticator attribute in all packets –RFC 2869 already requires this for EAP authentication Use a high-entropy RADIUS shared secret –Don’t limit shared secret to 16 characters –Utilize a randomly generated shared secret Use of a different shared secret for each RADIUS client-server pair

doc.: IEEE /TBD Submission November 2001 Warren Barkley, Tim Moore, Bernard Aboba/Microsoft Feedback?