Radius vulnerabilities in wireless overview
Download
1 / 6

Radius Vulnerabilities in Wireless Overview - PowerPoint PPT Presentation


  • 119 Views
  • Uploaded on

Radius Vulnerabilities in Wireless Overview . Randy Chou - rchou@arubanetworks.com Merv Andrade - merv@arubanetworks.com Joshua Wright - jwright@sans.org. Background & Vulnerability. AP (Authenticator). Client (Supplicant). Radius Auth Server. Associate + EAP. Key Exchange w/ Server Cert.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Radius Vulnerabilities in Wireless Overview' - kyrie


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Radius vulnerabilities in wireless overview

Radius Vulnerabilities in Wireless Overview

Randy Chou - rchou@arubanetworks.com

Merv Andrade - merv@arubanetworks.com

Joshua Wright - jwright@sans.org


Background vulnerability
Background & Vulnerability

AP (Authenticator)

Client (Supplicant)

Radius Auth Server

Associate + EAP

Key Exchange w/ Server Cert

User Auth inside TLS

Send MPPE Key

Send encryption Keys

  • Sniff packets. Wired risky, wireless undetectable.

  • VLAN separation does not mitigate sniffing.

  • Radius key known or attacked offline, see draft.

  • Wireless data decryption, can be offline.


Attack methodology
Attack Methodology

  • Adversary captures request and response authenticators

  • Mounts brute-force/dictionary attack against secret

  • Adversary uses secret to:

    • Forge Access-Accept frames

    • Decrypt MPPE for EAP keys

Response Auth = MD5(code + id + len + request auth + attributes + secret)


The problem
The Problem

  • Several references disclose vulnerabilities but are largely ignored

  • Some popular clients don’t implement IPSEC per RFC3579

  • Impact of compromised secret is serious

    • Compromised authentication, decryption of link-layer encryption mechanisms

    • Loss of keys == Loss of certificates


Goals
Goals

  • Update RFC3579 to MUST for IPsec support

  • Analyze seriousness of vulnerabilities in existing implementations

  • Provide best practice recommendations

  • Certification process for RADIUS devices

    • Not just interoperability, conformance tests


Questions
Questions?

  • Please direct comments to the authors or RADEXT reflector

    Randy Chou - rchou@arubanetworks.com

    Merv Andrade - merv@arubanetworks.com

    Joshua Wright - jwright@sans.org

    http://www.drizzle.com/~aboba/RADEXT/radius_vuln_00.txt