Re: Shared Secret Recovery in RADIUS

Thomas H. Ptacek (tqbf@enteract.com)
Tue, 29 Jul 1997 21:14:07 -0500

> authentication. Through packet capture and exploitation of the fact that
> the shared secret is the only unknown present, the shared secret can be
> recovered. This has extremely significant implications.

Well written. Thanks for posting it.

This attack was sent to Livingston and posted to the RADIUS discussion
list (I'm at a loss for the name of it) last year. I think it's worthwhile
to note that the attacks you're pointing out are actively being exploited,
and have been for awhile. "Global roaming" systems involving RADIUS
proxies will dramatically increase the implications of this attack.

A possible interim fix, mentioned to me by a peer who shall remain
nameless, is to "SALT" the data being hashed with a random number. With an
8 bit random number, unknown to the legitimate server/NAS being spoken to,
this dramatically increases the difficulty of the dictionary attack you're
mentioning, while adding no more than 256 extra MD5 verification
iterations to the legitimate server.

Of course, this would involve the modification of substantion portions of
NAS code. It may be a useful idea for RADIUS proxies; however, at this
point, it could be a fair assessment to say that RADIUS should simply go
away.

----------------
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com]
----------------
"If you're so special, why aren't you dead?"