Re: [saag] RADIUS is deprecating MD5

[Alan DeKok <aland@deployingradius.com>]

On Mar 31, 2024, at 6:49 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
> Maybe I'm missing something here but won't this break pretty much every RADIUS
> implementation in existence, in particular stuff that's been around forever
> and is unlikely to change?

  In this context, "deprecate" means "please stop using" RADIUS + MD5.

  I fully expect MD5-based RADIUS to continue for many years.

> Also since the cases I'm familiar with just use RADIUS as an extremely awkward
> transport mechanism for EAP-xTLS, with user = "anonymous" and password = some
> widely-known dummy value at the RADIUS level so there's no security there to
> begin with, it seems like the draft should emphasise that this applies to raw
> RADIUS, not RADIUS used purely as a transport mechanism for something else.

  Um... that is very much not what RADIUS is.  Such a design would be strongly opposed by anyone with experience in RADIUS systems.

  I've been doing RADIUS for 25+ years, and I can't recall the last time I saw a deployment which used a well-known password for EAP-*TLS.  That use-case is either vanishingly small, or was built by people with zero relevant experience.

> Also, just to be nitpicky:
> 
>> While MD5 has been broken, it is a testament to the design of RADIUS that
>> there have been (as yet) no attacks on RADIUS Authenticator signatures which
>> are stronger than brute-force.
> 
> I'd say that's more a testament to the fact that there's nothing there worth
> attacking, meaning that there are far easier and more effective attacks
> elsewhere.

  If all RADIUS servers went offline tomorrow, then pretty much every network other than "cable to the home" and 3G+ would go offline.  All DSL, authenticated WiFi.  Eduroam, open roaming, secured corporate roaming, MAC auth, 802.1X, etc.

  I wouldn't really say there's "nothing worth attacking".

  For companies, if a corporate network isn't using RADIUS, then their network is essentially open.  The physical ports can be used by an pizza delivery guy with a raspberry pi, and any fired worker can go into the parking lot and continue to use corporate WiFi.  So *not* using RADIUS is a massive security risk.

>  Use it to secure BTC transactions or something similar and I'm
> sure we'd see attacks turn up fairly quickly.  This is based on experience
> with very weak DKIM signing keys, which were breakable without too much effort
> but where no-one ever bothered because they weren't protecting anything of
> value that wasn't attackable through easier means.

  There's money to be make by attacking BTC.  There's "street cred" to be gained by attacking modern protocols.  There's little street cred to be gained by attacking something that *old people* build and use.

  If someone were to successfully have an attack on RADIUS/MD5, then that would require the upgrade of every single switch, router, firewall, VPN concentrator, WiFi access point, GGSN, etc. world-wide.  Every single (non-dumb) network device built and shipped in the last 25 years would have to be fixed.

  I've been trying to address the MD5 issue since 2005.  That was when I published the first draft of what became RFC 5080.  In it, I recommend securing RADIUS via HMAC-MD5 constructs.  I couldn't make it mandatory, because the rest of the RADIUS WG opposed that.  But my software has followed those recommendations for well over a decade.

  I can understand people not knowing what RADIUS is, or who uses it.  But I would strongly suggest not taking the next illogical leap to "I don't understand it, therefore it's useless".   I've never listened to K-pop, so it must be a tiny and irrelevant cultural phenomenon, right?

  Alan DeKok.