Download presentation
Presentation is loading. Please wait.
Published byLorena McCoy Modified over 8 years ago
1
1 Radius Vulnerabilities in Wireless Overview Randy Chou - rchou@arubanetworks.com Merv Andrade - merv@arubanetworks.com Joshua Wright - jwright@sans.org
2
2 Background & Vulnerability Client (Supplicant) AP (Authenticator) Radius Auth Server Associate + EAP Key Exchange w/ Server Cert User Auth inside TLS Send MPPE Key Send encryption Keys Sniff packets. Wired risky, wireless undetectable. VLAN separation does not mitigate sniffing. Radius key known or attacked offline, see draft. Wireless data decryption, can be offline.
3
3 Attack Methodology Adversary captures request and response authenticators Mounts brute-force/dictionary attack against secret Adversary uses secret to: –Forge Access-Accept frames –Decrypt MPPE for EAP keys Response Auth = MD5(code + id + len + request auth + attributes + secret)
4
4 The Problem Several references disclose vulnerabilities but are largely ignored Some popular clients don’t implement IPSEC per RFC3579 Impact of compromised secret is serious –Compromised authentication, decryption of link-layer encryption mechanisms –Loss of keys == Loss of certificates
5
5 Goals Update RFC3579 to MUST for IPsec support Analyze seriousness of vulnerabilities in existing implementations Provide best practice recommendations Certification process for RADIUS devices –Not just interoperability, conformance tests
6
6 Questions? Please direct comments to the authors or RADEXT reflector Randy Chou - rchou@arubanetworks.com Merv Andrade - merv@arubanetworks.com Joshua Wright - jwright@sans.org http://www.drizzle.com/~aboba/RADEXT/ radius_vuln_00.txt
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.