IETF Logo Mail Archive

Re: [saag] RADIUS is deprecating MD5

Bernard Aboba <bernard.aboba@gmail.com> Sun, 31 March 2024 17:01 UTC

Return-Path: <bernard.aboba@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21E1AC14F6F4 for <saag@ietfa.amsl.com>; Sun, 31 Mar 2024 10:01:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5aMCK9he85U2 for <saag@ietfa.amsl.com>; Sun, 31 Mar 2024 10:01:53 -0700 (PDT)
Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B8C1C14F6F2 for <saag@ietf.org>; Sun, 31 Mar 2024 10:01:53 -0700 (PDT)
Received: by mail-pl1-x62e.google.com with SMTP id d9443c01a7336-1e252f2bf23so1762715ad.2 for <saag@ietf.org>; Sun, 31 Mar 2024 10:01:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711904513; x=1712509313; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=LnxR5YXJGcY7gQfD4UiXWsXQL9by3rlAT+x/0/w85BM=; b=eQCEwQs/FznAlj+cNMHnG0TEYIZyFX+XyNaHnu60ccQQseWe9+pJmf+faV3gyZypBP uNQ8Y2z9iLbV9OCH3Db5WzV/bZyyk6TOxTpdgrytZGsLVBWszXmidGaEuW+noeq/7BC/ 76kRb3V1n148cnj+9z36D6heV6+Ho6NqSZLjRSDxHy/XKmDQ05OAzDIfyrfiOHxPzdEI sMvtiJPsCbkilEaoHVf1XRb4A9iizNaDlYgc5kdIsFhAuzhfGd+VyNWuv7R6of6Sx9A5 9kxLi1L7OEMM7LbTwougnGEku50h+nnvkK31bwA8a+NWkg1WFLPMtHdnkqc4PTPQYlpT W5Aw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711904513; x=1712509313; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=LnxR5YXJGcY7gQfD4UiXWsXQL9by3rlAT+x/0/w85BM=; b=p5eXSPUrJNItf320wqktPrU4zjsRUKMtq2HAJ6tuzntmWgN9I2CHP3pb4p9jBqOt/1 bOuPlkfWgUAZPDgt6I1Y+5xEP3Z4ixf4kSwCWhCHeRUB8uMMYew6QQYs6VTJwEMxseUw E8Avpldhgt6BveA4knEWzBF4xwLPZmIBp83HFjsZ97PDOMwOYaODDXeYr4LsbuKGOBjp tnn0Un2io72T4qDpqJ6bsNYqOxvp2VVSD8pWi+J9R4OKvAREm7NLcczBkoQw1+sE//4C kGGF5+EpIYS4/x3VoPBOjra/w/R+wo+Ahet9bNtjq+WM0QewlVMHUq1WpVE1sH91iA51 5eQQ==
X-Gm-Message-State: AOJu0YyTWtE/H9kKNjWWIbJcXn0LSba9uB04S8WnpGFSs/5V8VoA73e+ IJnTd1aNHlIvIHvJwqNc4jlkQy0bw74I1jQCnJVF8R1t3mK3gaeDMUbucqORTZnhVnlxaGy3jIo hVOI0RVGZ1gbaZG8Cmpu8AMBwAWY8GbzwMxw=
X-Google-Smtp-Source: AGHT+IF/s2EyRBdJr4Q8a13JlDjE6BMAMkOJjkCu9jZ5l3HhWQAmQcY+ucSl0abLwMhAARXhzTqscobbH+o6DQ+KMCo=
X-Received: by 2002:a17:90a:9414:b0:29b:ad3a:7b01 with SMTP id r20-20020a17090a941400b0029bad3a7b01mr4737623pjo.46.1711904512415; Sun, 31 Mar 2024 10:01:52 -0700 (PDT)
MIME-Version: 1.0
References: <755BC73B-B981-4986-B45A-E9796DCC66BC@deployingradius.com> <ME0P300MB0713122730DC9574730AC816EE382@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <Zgl6ejdpJNOyUja0@chardros.imrryr.org> <E1B4CCB5-202F-4087-8B56-9E7F3D73D1D0@deployingradius.com> <ZgmDLfNxV2RKSA5o@chardros.imrryr.org> <21309D5A-E824-42C7-8BAB-366AD568E9F4@deployingradius.com>
In-Reply-To: <21309D5A-E824-42C7-8BAB-366AD568E9F4@deployingradius.com>
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Sun, 31 Mar 2024 10:01:36 -0700
Message-ID: <CAOW+2du2K-Za83y5mWC7BvR9B9kQBOtEE7=RawpgEJvWnD0Xcg@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: saag@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005a1e7b0614f7d4c2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/pLeXJL7zScv7C70IkQNR9RTmCXk>
Subject: Re: [saag] RADIUS is deprecating MD5
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2024 17:01:57 -0000

Alan said:

"  We know that MD5 is insecure.  We know that many Access-Request packets
lack all integrity checks.  I've been trying to fix this issue since 2005
or so.

  Why can't we just say "yes, 1993-era protocols are bad.  Wrap them in
TLS.  Move on".

  I am more than a bit surprised that there is any resistance to this
effort."

[BA]  The effort to upgrade RADIUS security is now more than a decades. The
effort kicked off in 2011 with the publication of RFC 6421, which laid out
the requirements as well as the thinking on how a transition would work.
The RADEXT WG, which I chaired, then solicited and published as
Experimental RFCs solutions which were based on RADIUS over (D)TLS.  The
protocols were subsequently implemented, and drafts are incorporating
clarifications and updates.

To be sure, the deployment barriers are significant, but the transition
model has been thought through.  For example, it is possible to run a
mixture of secure and insecure RADIUS clients along with servers supporting
both existing and secure RADIUS so as to allow for legacy devices
implementing only classic RADIUS to continue to operate alongside new
devices implementing secure RADIUS.  When all the legacy devices have been
replaced, the server can be reconfigured to accept only secure RADIUS
requests.

The initial RADIUS over (D)TLS RFCs didn't have to say much about MD5
because the approach was to encrypt and authenticate RADIUS packets using
TLS cyphersuites. This approach worked and can continue to be used with the
new specifications under development.  The problem occurred in FIPS-140
environments where calls to MD5 primitives *fail*.  The original
specifications were not crystal clear on the desired behavior in such a
situation, and there were hints that some very bad bugs could arise (e.g.
secrets sent in the clear over the network).

Alan and others took the initiative to come up with recommendations
covering not only RADIUS servers, but also RADIUS clients and even
FIPS-configured clients not running RADIUS at all.  Those experienced with
operating FIPS-140 compliant services may be particularly interested in
understanding how the recommendations would apply to their situations.

On Sun, Mar 31, 2024 at 8:56 AM Alan DeKok <aland@deployingradius.com>
wrote:

> On Mar 31, 2024, at 11:37 AM, Viktor Dukhovni <ietf-dane@dukhovni.org>
> wrote:
> > This does not sound like an MD5 issue, rather this is about metadata
> > leakage from RADIUS/UDP, and MD5 is mostly just collateral damage or
> > a distraction from the core issue?
>
>   We know that MD5 is insecure.  We know that many Access-Request packets
> lack all integrity checks.  I've been trying to fix this issue since 2005
> or so.
>
>   Why can't we just say "yes, 1993-era protocols are bad.  Wrap them in
> TLS.  Move on".
>
>   I am more than a bit surprised that there is any resistance to this
> effort.
>
>   Alan DeKok.
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>

v2.23.0 | Report a Bug | By Email