Lecture 3.1: Handling Remote Access: RADIUS Remote Authentication Dial In User Service Recommended reading: RFC 2865, June 2000 Giuseppe Bianchi Motivation Managing large-scale networks: a nightmare Multiple NAS, multiple access services Not only authentication, but also service-specific configuration assignment Best achieved by managing single user "database" User+passwd login Internet Service Provider NAS PPP Giuseppe Bianchi RADIUS Provides centralized AAA functionalities Authentication are you really the one you claim to be? Authorization Do you have permissions to access a service? Accounting what are you currently doing/using/paying? » Transmitted bytes, billing, etc Client-Server protocol NAS acts as RADIUS client 1 primary server (0+ secondary servers - replicated) Management of replicated servers implementation dependent Server may in turns act as a proxy Based on UDP/IP Server port 1812 (client port ephemeral, as usual in C/S) Giuseppe Bianchi RADIUS architecture RADIUS Server application Registered User Database For each entry (user_name), contains (at least): Authentication information (secrets) Authentication Method » One per user! Otherwise attacker would negotiate the least secure method from among a set » If multiple authentication methods provided, much better use distinct user names! Authorization attributes (access profile per each user) Client database Clients which are entitled to communicate with the server Accounting Database Whhen radius used for accounting Frequently used only for authentication Giuseppe Bianchi RADIUS Security features Per-packet authenticated reply Transactions are authenticated through the use of a shared key between RADIUS server and RADIUS clients » Well, not all the transaction but only the reply packet: more later Shared Key never sent over the network Per-packet 16-bytes signature Encrypted user password transmission Same shared key used to transmit user passwords Remaining information transmitted in clear text Giuseppe Bianchi RADIUS scenario 1. User sends authentication attributes to NAS RADIUS 2. NAS wraps them into Access-Request sent to Server server 3. Server response: OK, NO, Challenge (for some AUTH) if Y, user profile, authorization and config data added 4. NAS notifies user ISP Access-Request 3 2 NAS Response 1 PPP 4 Giuseppe Bianchi Proxy Operation RADIUS server May be transparent or not transparent (e.g. change response to fit with local policies) remote RADIUS server ISP (or other AAA e.g. Cisco TACACS+) Frequently from different ISP: Typical Proxy usage is roaming Giuseppe Bianchi Message exchange (example) If needed Giuseppe Bianchi Code Packet packet format (dec) Code: type of radius packet 1 Access-Request Identifier: match requests with responses 2 Access-Accept IP src and UDP src also help matching Length 3 Access-Reject minimum 20, maximum 4096 4 Accounting-Request Authenticator: 5 Accounting-Response used to authenticate reply from server Used in user password-hiding algorithm 11 Access-Challenge Attributes: extensible information field Turned out not being extensible enough with “only” 256 types… type len value ……… type len value code identifier length authenticator attributes 1 byte 1 byte 2 byte 16 byte *** IP header UDP header RADIUS PACKET Giuseppe Bianchi Packet authentication Request Authenticator In Access-Request (CS) 16 randomly generated bytes unpredictable and unique (over the lifetime of shared C/S secret) » To avoid replay attack Response Authenticator In Access-Accept/Reject/Challenge packets (SC) One-way MD5 hash of the request authenticator, the shared secret, the packet response information » Response packet is signed! Otherwise packet tampering possible! Specifically: MD5(Code | ID | Length | RequestAuth | Attributes | Secret) Giuseppe Bianchi 1 User-Name 2 User-Password 3 CHAP-Password Attributes (at a glance) 4 NAS-IP-Address 5 NAS-Port 6 Service-Type Information and configuration details 7 Framed-Protocol 8 Framed-IP-Address carried by request and/or reply (accept/reject/challenge) 9 Framed-IP-Netmask packets 10 Framed-Routing 11 Filter-Id Any number of attributes in a packet 12 Framed-MTU 13 Framed-Compression Length field end of attributes payload 14-16 (for Login service) Order of attributes does NOT matter 17 (unassigned) 18 Reply-Message Some attributes may be included more than 19 Callback-Number once 20 Callback-Id 21 (unassigned) effect is attribute-specific (here order may matter!) 22 Framed-Route 8 23 Framed-IPX-Network Up to 2 attributes (1 byte type field): 24 State Type 0: reserved 25 Class 26 Vendor-Specific Type 1-191: IANA (public) assigned/assignable 27 Session-Timeout 28 Idle-Timeout Type 192-240: for private use 29 Termination-Action Type 192-223: experimental 30 Called-Station-Id 31 Calling-Station-Id Type 224-240: implementation-specific 32 NAS-Identifier Type 241-255: reserved 33 Proxy-State 34-36 (for LAT) Extensible Protocol 37-39 (for AppleTalk) 40-59 (res. for accounting) New attribute values can be added without disturbing 60 CHAP-Challenge existing implementations 61 NAS-Port-Type 62 Port-Limit 63 Login-LAT-Port Giuseppe Bianchi Access-Request Typically contains: Who is the user User-Name » Mandatory: search key to access the user database Password User-Password CHAP-password (when CHAP employed) An identifier of the RADIUS client NAS-IP or NAS-identifier » user might access only a subset of NAS An identifier of the port the user is accessing NAS-Port (if the NAS has ports) » Wi-Fi: Logical association » Dial Up: physical (modem) port# receiving the user call User might be restricted to access only specific ports Giuseppe Bianchi Password encryption Native User-Password u g o Step 1: padding to 16 bytes u g o Step 2: generate a 16 bytes hash MD5(secret | RequestAuth) using key and the content of the authenticator field of the request u g o Step 3: XOR padded passwd & hash MD5(secret | RequestAuth) If passwd longer than 16 characters: Step 4: compute MD5(secret | result of previous XOR) and Step 5: XOR with next segment of the passwd Giuseppe Bianchi Access-Accept Login The user should be connected to a host. Positive server Framed A Framed Protocol should be started for the response User, such as PPP or SLIP. User authentication Callback Login The user should be disconnected and called back, then connected to a host. credentials OK Callback Framed The user should be disconnected and called back, then a Framed Protocol should be started Contains all the for the User, such as PPP or SLIP. service-specific Outbound The user should be granted access to outgoing configuration devices. Administrative The user should be granted access to the Including the Service- administrative interface to the NAS from which privileged commands can be executed. Type attribute NAS Prompt The user should be provided a command prompt Complemented with on the NAS from which non-privileged commands can be executed. other service-related Authenticate Only Only Authentication is requested, and no configuration authorization information needs to be returned parameters in the Access-Accept (typically used by proxy servers rather than the NAS itself). E.g. IP address, mask, etc Possible values of the Service-Type option Giuseppe Bianchi Access-Reject Two main reasons: Authentication failed 1+ attributes in the request were not considered acceptable (authorization failed) Giuseppe Bianchi Access-Challenge Used whenever the server wants/needs the user to send a further response E.g. a challenge/response authentication mechanisms Not necessarily CHAP (see CHAP support later on)! Could be RADIUS support for GSM/UMTS authentication! E.g. prompting the user to enter a password Challenge typically contains One or more reply-message attributes » Which MAY be used in a very flexible manner May contain text to be prompted to the user May contain an explicit authentication challenge NAS collects response from the user and sends a NEW Access-Request New ID New User-Password - contains the user response (crypted) Based on this, server accepts or rejects or send another challenge Giuseppe Bianchi PPP CHAP support with RADIUS CHAP challenge locally generated by NAS No need to know user password for this! CHAP challenge + response sent to RADIUS server RADIUS server retrieves user password from database, computes and compares CHAP response Chap Challenge Chap Response RADIUS Access Request (User Name, CHAP password, CHAP Challenge, Service :Framed PPP , …) RADIUS Access Accept Verify (Service : Framed PPP, …) Chap Success CHAP RADIUS PPPPPP UDP/IP User NAS RADIUS SERVER Giuseppe Bianchi Lecture 3.2: RADIUS limits and extensions Giuseppe Bianchi MD5 and hash backgrounds (briefly) Giuseppe Bianchi Hash Function Any length message X Y = H(X) Fixed size digest Y Cannot be inverted, as not unique e.g. 128 bits for MD5 X = x bits Y = y bits Assuming ideal mapping, Y is the result for 2x-y possible X messages Example: x=5 bits 32 messages y=2 bits 4 digests 32/4 = 8= 23 Giuseppe Bianchi Properties of a good hash function Preimage resistance (one way) Given Y = result of a hash, it is hard to find X such as H(X)=Y Second preimage resistance (weak collision resistance) Given X, it is hard to find another X’ such that H(X) = H(X’) Collision resistance (strong collision resistance) It is hard to find two generic X1 and X2 such that H(X1) = H(X2) Giuseppe Bianchi Birthday paradox H Human being X birthday 1. What is the 22 22 probability that 1 364 1 94.1% none of you N=22 365 365 is born in my same day? 1 2 22 11 1 1 2. What is the 365 365 365 probability that 365(365 1)(365 22) no two+ of us N=23 are born the 36523 same day? 365! / (365 23)! 23 49.3% 365 !! Giuseppe Bianchi Birthday paradox again Digest = D bits Number of messages = K 1. How many messages K K to observe to get 1 1 2D 50% probability to 1 D K have my same digest? 2 2 2 2.