IETF Logo Mail Archive

Re: [saag] RADIUS is deprecating MD5

Bernard Aboba <bernard.aboba@gmail.com> Sun, 31 March 2024 13:58 UTC

Return-Path: <bernard.aboba@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F3E6C14F5F1 for <saag@ietfa.amsl.com>; Sun, 31 Mar 2024 06:58:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id URcp8lwT2utK for <saag@ietfa.amsl.com>; Sun, 31 Mar 2024 06:58:07 -0700 (PDT)
Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F5DAC14F5EE for <saag@ietf.org>; Sun, 31 Mar 2024 06:58:07 -0700 (PDT)
Received: by mail-pl1-x62e.google.com with SMTP id d9443c01a7336-1dddbe47ac1so27059185ad.1 for <saag@ietf.org>; Sun, 31 Mar 2024 06:58:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711893487; x=1712498287; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=dS8HsUeAsjaTmFFEdFxZOdBomyZrR0Kdh3XRg3zNEYE=; b=hUN2DN8Lgalsmvwl7TdlvNMlCyKRVk81TIGUYOsNHHa40Io6dNnitoUytaLdqS+9OG 71/07vSEuLn9rwrtY3bULbn950IM8dBsNNYwqKgS1QAq30A7yknjYm7aD46VPsiyEfdM IPJR6Fo5g6FZd4ZKzjt7ae0tJTsHiLHicDRmlNwPvBmA+XND0NYJFALjtcTvdwd+mmgA HrpmpnwEg/6KeGiFSw+le9wv++WQxddn4+GtgjPPc0Zh/kc7O+VKTNJkBv5rKHwAH7/H dzXKjoQIxwmqxJdgvZtJ9bdvt2nCEPe6vBzq8xnWw5Z9Y2VxXAJSj0PoXnGlZW4xiDvL EKEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711893487; x=1712498287; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=dS8HsUeAsjaTmFFEdFxZOdBomyZrR0Kdh3XRg3zNEYE=; b=OxECuvHTtYwuB15xQSFDiQcUUuLQoM8ndulmRdus7CQS6cs3ha7OkvhDgJRPEoQgXK N/yb819zKeLbmtBt4YHMq/dMtSKjjABSyrcB5CH046Bk2WIra3xeEE9eAMJq03M8PAwt uY9XYSmHPV/lafmTlVQ4fPfBKSCKMcOw9gGhiaXrS9EZuW/8OChKv6ZUyU4W99BMCbAF IZacrZk6WULMiM/lvrFaWzbv58p6BVS9sOOGFUtzG3le7ksszr28JJ/UOcGwVRdHy50L HCDQiqrRE6362+ray6dNhaNPB1q4d9Gpn9dmNhVRBfKLSHUhcIR54W2a/VbdezZhYjQx P4iw==
X-Forwarded-Encrypted: i=1; AJvYcCVpQz+cLdUMw5FwJo+GoQcdBAVMbGKCB1oXw97V3DaOSrdAH+2WDOVF2w2+hDnaB4wrgbNf1jDcRVYo77wj
X-Gm-Message-State: AOJu0YzJwAEvEecjYAb8wEfmncsRjO/nMF0fA0gfDWWbfhUtRw3EvZ8r l0HNbh9Ts/8NB1OFgwlIn5h/bir5QJujLFBLZxwvPfc/K3NRTq3OkNe0QiB+5+DotUTQLKm/IeE vgQbK4V3VnAKYpGIsC/t9ma6JHnpVUrOWI/M=
X-Google-Smtp-Source: AGHT+IFbWJenP3I6XhH0LHH+so//skyMXaMUWX2cqpTdi4SST9p5CURsreu7vf6QtkbArVQUwdR+P/cXyDfG5f3rVGU=
X-Received: by 2002:a17:902:ce8a:b0:1e0:b677:293b with SMTP id f10-20020a170902ce8a00b001e0b677293bmr13796768plg.29.1711893486453; Sun, 31 Mar 2024 06:58:06 -0700 (PDT)
MIME-Version: 1.0
References: <755BC73B-B981-4986-B45A-E9796DCC66BC@deployingradius.com> <ME0P300MB0713122730DC9574730AC816EE382@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <8B488A8C-9757-47FB-8CC4-653A389CF0BE@deployingradius.com>
In-Reply-To: <8B488A8C-9757-47FB-8CC4-653A389CF0BE@deployingradius.com>
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Sun, 31 Mar 2024 06:57:51 -0700
Message-ID: <CAOW+2ds30gnOnWgk0hwveEX+TOcU7HGR=iTmDcDpRv_caiM4rQ@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "saag@ietf.org" <saag@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002774180614f54373"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/1s7tunmuQ4T5NN7JydaRKnJue-4>
Subject: Re: [saag] RADIUS is deprecating MD5
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2024 13:58:11 -0000

Alan said:

"  I wouldn't really say there's "nothing worth attacking"."

[BA]  Part of the motivation for the secure RADIUS work overall was that
the attacks were not only increasing in feasibility, but could yield
results of high value. It is my sincere hope that this work results in
conventional RADIUS eventually being replaced within enterprise,
particularly within highly secure environments (if it was ever allowed
there in the first place).  The IETF is only the first step; close
collaboration will be needed with groups such as WFA so that secure
products can be tested,  certified and made widely available.

Kudos to Alan and others who are pushing this forward. Deprecating RADIUS
is a bit like eradicating measles. Achieving the goal will be hard work,
there are likely to be setbacks along the way, and the people on the front
lines don't always get the credit they deserve.  But it's necessary to take
the long term view and keep at it.

BTW, during the original standardization process, the (mis)use of MD5 did
raise eyebrows within the IESG.  I recall comments like "marginal" used in
the RADIUS authentication security review.  This was not the worst grade on
the young protocol's report card.  The term "criminally negligent" comes to
mind, with respect to the design of RADIUS accounting, which was only
allowed to be published as Informational.

On Sun, Mar 31, 2024 at 5:22 AM Alan DeKok <aland@deployingradius.com>
wrote:

> On Mar 31, 2024, at 6:49 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz>
> wrote:
> > Maybe I'm missing something here but won't this break pretty much every
> RADIUS
> > implementation in existence, in particular stuff that's been around
> forever
> > and is unlikely to change?
>
>   In this context, "deprecate" means "please stop using" RADIUS + MD5.
>
>   I fully expect MD5-based RADIUS to continue for many years.
>
> > Also since the cases I'm familiar with just use RADIUS as an extremely
> awkward
> > transport mechanism for EAP-xTLS, with user = "anonymous" and password =
> some
> > widely-known dummy value at the RADIUS level so there's no security
> there to
> > begin with, it seems like the draft should emphasise that this applies
> to raw
> > RADIUS, not RADIUS used purely as a transport mechanism for something
> else.
>
>   Um... that is very much not what RADIUS is.  Such a design would be
> strongly opposed by anyone with experience in RADIUS systems.
>
>   I've been doing RADIUS for 25+ years, and I can't recall the last time I
> saw a deployment which used a well-known password for EAP-*TLS.  That
> use-case is either vanishingly small, or was built by people with zero
> relevant experience.
>
> > Also, just to be nitpicky:
> >
> >> While MD5 has been broken, it is a testament to the design of RADIUS
> that
> >> there have been (as yet) no attacks on RADIUS Authenticator signatures
> which
> >> are stronger than brute-force.
> >
> > I'd say that's more a testament to the fact that there's nothing there
> worth
> > attacking, meaning that there are far easier and more effective attacks
> > elsewhere.
>
>   If all RADIUS servers went offline tomorrow, then pretty much every
> network other than "cable to the home" and 3G+ would go offline.  All DSL,
> authenticated WiFi.  Eduroam, open roaming, secured corporate roaming, MAC
> auth, 802.1X, etc.
>
>   I wouldn't really say there's "nothing worth attacking".
>
>   For companies, if a corporate network isn't using RADIUS, then their
> network is essentially open.  The physical ports can be used by an pizza
> delivery guy with a raspberry pi, and any fired worker can go into the
> parking lot and continue to use corporate WiFi.  So *not* using RADIUS is a
> massive security risk.
>
> >  Use it to secure BTC transactions or something similar and I'm
> > sure we'd see attacks turn up fairly quickly.  This is based on
> experience
> > with very weak DKIM signing keys, which were breakable without too much
> effort
> > but where no-one ever bothered because they weren't protecting anything
> of
> > value that wasn't attackable through easier means.
>
>   There's money to be make by attacking BTC.  There's "street cred" to be
> gained by attacking modern protocols.  There's little street cred to be
> gained by attacking something that *old people* build and use.
>
>   If someone were to successfully have an attack on RADIUS/MD5, then that
> would require the upgrade of every single switch, router, firewall, VPN
> concentrator, WiFi access point, GGSN, etc. world-wide.  Every single
> (non-dumb) network device built and shipped in the last 25 years would have
> to be fixed.
>
>   I've been trying to address the MD5 issue since 2005.  That was when I
> published the first draft of what became RFC 5080.  In it, I recommend
> securing RADIUS via HMAC-MD5 constructs.  I couldn't make it mandatory,
> because the rest of the RADIUS WG opposed that.  But my software has
> followed those recommendations for well over a decade.
>
>   I can understand people not knowing what RADIUS is, or who uses it.  But
> I would strongly suggest not taking the next illogical leap to "I don't
> understand it, therefore it's useless".   I've never listened to K-pop, so
> it must be a tiny and irrelevant cultural phenomenon, right?
>
>   Alan DeKok.
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>

v2.23.0 | Report a Bug | By Email