Re: [radext] #86: MD5 Stream Cipher Weaknesses

"radext issue tracker" <trac+radext@zinfandel.tools.ietf.org> Sat, 12 March 2011 22:25 UTC

Return-Path: <owner-radiusext@ops.ietf.org>
X-Original-To: ietfarch-radext-archive-IeZ9sae2@core3.amsl.com
Delivered-To: ietfarch-radext-archive-IeZ9sae2@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2716A3A68F3 for <ietfarch-radext-archive-IeZ9sae2@core3.amsl.com>; Sat, 12 Mar 2011 14:25:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5WuYDmY4NHhv for <ietfarch-radext-archive-IeZ9sae2@core3.amsl.com>; Sat, 12 Mar 2011 14:25:00 -0800 (PST)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 7B14F3A690A for <radext-archive-IeZ9sae2@lists.ietf.org>; Sat, 12 Mar 2011 14:25:00 -0800 (PST)
Received: from majordom by psg.com with local (Exim 4.73 (FreeBSD)) (envelope-from <owner-radiusext@ops.ietf.org>) id 1PyXBx-0006Na-75 for radiusext-data0@psg.com; Sat, 12 Mar 2011 22:21:45 +0000
Received: from zinfandel.tools.ietf.org ([2001:1890:1112:1::2a]) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.73 (FreeBSD)) (envelope-from <trac+radext@trac.tools.ietf.org>) id 1PyXBt-0006NI-G0 for radiusext@ops.ietf.org; Sat, 12 Mar 2011 22:21:41 +0000
Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.74) (envelope-from <trac+radext@trac.tools.ietf.org>) id 1PyXBo-0008GY-2P; Sat, 12 Mar 2011 14:21:36 -0800
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: radext issue tracker <trac+radext@zinfandel.tools.ietf.org>
X-Trac-Version: 0.11.7
Cc: radiusext@ops.ietf.org
Auto-Submitted: auto-generated
X-Mailer: Trac 0.11.7, by Edgewall Software
To: bernard_aboba@hotmail.com
X-Trac-Project: radext
Date: Sat, 12 Mar 2011 22:21:36 -0000
Reply-To: radiusext@ops.ietf.org
X-URL: http://tools.ietf.org/radext/
Subject: Re: [radext] #86: MD5 Stream Cipher Weaknesses
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/radext/trac/ticket/86#comment:1
Message-ID: <075.b7696d14718211b99253c6b6fcbd5940@trac.tools.ietf.org>
References: <066.62285455ad08292c0ca0af89a211ff48@trac.tools.ietf.org>
X-Trac-Ticket-ID: 86
In-Reply-To: <066.62285455ad08292c0ca0af89a211ff48@trac.tools.ietf.org>
X-SA-Exim-Connect-IP: ::1
X-SA-Exim-Rcpt-To: bernard_aboba@hotmail.com, radiusext@ops.ietf.org
X-SA-Exim-Mail-From: trac+radext@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false
Sender: owner-radiusext@ops.ietf.org
Precedence: bulk
List-ID: <radiusext.ops.ietf.org>

#86: MD5 Stream Cipher Weaknesses

Changes (by bernard_aboba@…):

  * status:  new => closed
  * resolution:  => fixed


Comment:

 Note that the Access-Request isn't the only RADIUS packet not protected by
 a MIC in the Authenticator field;  Status-Server also isn't protected that
 way.

 The proposed resolution is to change Section 3 to the following:

 3.  The Current State of RADIUS Security

    RADIUS packets, as defined in [RFC2865], are protected by an MD5
    message integrity check (MIC), within the Authenticator field of
    RADIUS packets other than Access-Request [RFC2865] and Status-Server
    [RFC5997].  The Message-Authenticator Attribute utilizes HMAC-MD5 to
    authenticate and integrity protect RADIUS packets.

    While RADIUS does not support confidentiality of entire packets,
    various RADIUS attributes support encrypted (also known as "hidden")
    values, including: User-Password [RFC2865, section 5.2], Tunnel-
    Password [RFC2868, section 3.5], and various Vendor-Specific
    Attributes, such as the MS-MPPE-Send-Key and MS-MPPE-Recv-Key
    attributes defined in [RFC2548, section 2.4].  Generally speaking,
    the hiding mechanism uses a stream cipher based on a key stream from
    an MD5 digest.  Attacks against this mechanism are described in
    [RFC3579] Section 4.3.4.

    Recent work on MD5 collisions does not immediately compromise these
    functions absent knowledge of the RADIUS shared secret.  However, the
    progress toward compromise of MD5's basic cryptographic assumptions
    has resulted in the deprecation of MD5 usage in a variety of
    applications.

 Add the following references to Section 8:

 [RFC2548]  Zorn, G., "Microsoft Vendor-specific RADIUS Attributes", RFC
            2548, March 1999.

 [RFC2868]  Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M.
            and I. Goyret, "RADIUS Attributes for Tunnel Protocol
            Support", RFC 2868, June 2000.

 [RFC5997]  DeKok, A., "Use of Status-Server Packets in the Remote
            Authentication Dialin User Service (RADIUS) Protocol", RFC
            5997, August 2011.

-- 
---------------------------------------+------------------------------------
 Reporter:  bernard_aboba@…            |        Owner:            
     Type:  defect                     |       Status:  closed    
 Priority:  major                      |    Milestone:  milestone1
Component:  Crypto-Agility             |      Version:  1.0       
 Severity:  Active WG Document         |   Resolution:  fixed     
 Keywords:                             |  
---------------------------------------+------------------------------------

Ticket URL: <http://trac.tools.ietf.org/wg/radext/trac/ticket/86#comment:1>
radext <http://tools.ietf.org/radext/>


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>