IETF Logo Mail Archive

Re: [saag] RADIUS is deprecating MD5

Peter Gutmann <pgut001@cs.auckland.ac.nz> Sun, 31 March 2024 13:59 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A343C14F5EE for <saag@ietfa.amsl.com>; Sun, 31 Mar 2024 06:59:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a0DtPn_QMg9k for <saag@ietfa.amsl.com>; Sun, 31 Mar 2024 06:59:36 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.23.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 644EFC14F5E4 for <saag@ietf.org>; Sun, 31 Mar 2024 06:59:35 -0700 (PDT)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01lp2169.outbound.protection.outlook.com [104.47.71.169]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id au-mta-108-paSzS5r1MJC9llwscoV7Hg-1; Mon, 01 Apr 2024 00:59:31 +1100
X-MC-Unique: paSzS5r1MJC9llwscoV7Hg-1
Received: from ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM (2603:10c6:220:229::18) by SY8P300MB0103.AUSP300.PROD.OUTLOOK.COM (2603:10c6:10:262::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7452.24; Sun, 31 Mar 2024 13:59:29 +0000
Received: from ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM ([fe80::b3cd:2a27:73e1:a974]) by ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM ([fe80::b3cd:2a27:73e1:a974%5]) with mapi id 15.20.7452.019; Sun, 31 Mar 2024 13:59:29 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Alan DeKok <aland@deployingradius.com>
CC: "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [saag] RADIUS is deprecating MD5
Thread-Index: AQHafhhYd6Pp6wDrq0CYMT6Bf16QJrFRtYpBgAAafICAABrGTA==
Date: Sun, 31 Mar 2024 13:59:28 +0000
Message-ID: <ME0P300MB0713C2E52C8DA16E3EB5DF3CEE382@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM>
References: <755BC73B-B981-4986-B45A-E9796DCC66BC@deployingradius.com> <ME0P300MB0713122730DC9574730AC816EE382@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <8B488A8C-9757-47FB-8CC4-653A389CF0BE@deployingradius.com>
In-Reply-To: <8B488A8C-9757-47FB-8CC4-653A389CF0BE@deployingradius.com>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: ME0P300MB0713:EE_|SY8P300MB0103:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: RFxiKtv9hI1rIcuB+bkp0DOhQMcZ/SmeSEpQtChp3pDTocyNpH7Bb8WivJ9c2qQult9+WpwL4I5M+mnFhzmVhUjeSFXUeXwTpQjTR5q3diIHbPeqsMakvvNye9qdEJnXtDL08QTCvrqcQyxco0Q9rcmRdVeHksbBcMV2VtvIYPdaXzYnHpktNa8cvyvI1zZR5EqKBPkkAh9NnjNVzrAESfq1C2f3TXhMS5y2JKTeDCfP52I6dFUjtgYQlXo3ZXbF0jcTmAMH51VZRDiJQiSABXCj5fmMKUDSk+k+x+gxH8wpqNJn7ewud1xNhDqE/NMtiqhfhaQPJRqvCqSseyeLCjiDkwz9qF9fyAwI5rO9JxEh2xcLN0A9idGSHfxG32a2Ca7eYz9mrjhdCVX9BKW60AHYjJp9g7/J7MIqpxSBzzkcttAKIMo4pEJTC2VzDbHXD39i0A2PZ66+pQIsY7ZyppR2Ix/W5uZSxbd1EgnFSe2GBcjwBVQZ3B03kuZ6xhvEXvm33ONdQTiGteIoavhqOBZA5/amxAsMJue95sAoWxYp7B+QoR+G5gPy8cpKLfgMyd/23RctX5VMwbpmNoxpbaNPGTpDPz7v7O+ad6QaD91uYNLl7OGP0YXM5lMs8utHL+pCSamvfI3asjxJFD9MKL7sKVwt4IDqd/FxtT0MJDo=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(376005)(1800799015)(366007); DIR:OUT; SFP:1102
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: I1bA085+m/qOljY+fSyws9mUPK5A2B79k91QFj00eFL63XTTMTl+0UPZa1kSN3X8r3IsvB6GeWFYZXZRxTIK3t9nZVHmseXlrPM9WFa59Gf5MRmcaorc2PXMsH3yTG6hBfqwK6Gm7bLY3KRUp0wsPSglNK2iII9d0jkmqUkASXcLDZ1gpb/q4TthWLaoG+ecdwx0us4oyh8goPGgeelZHfdyn6ZmuUuCjPDzlaTqpfoUXLdRuGPB50lx77wKDflE12qovlSXUEvcq4i5a81HLBuKPmPVv27DpFbAHeGJUxUJsJnRpdJVzrh5vMzGxufYvosZuMZNZizdWQSetp1tbjKyiU8oFUJUods926rDj2vGgVmTt5rpRpVb3EvlQ8ks5nwMMjD65wAps3KV72mhhPwP1ZXmdHd2iRG/baaBcyZcjWpXikDkwFAt035RNzvzHs2JCvuZ4OUKL9p9ADlEHqqOLRWetQ6RDZa0e2Y0nfv4f0LhnapB5PPbinTKHu56n9axCV9M2kZflygJGpcIWuNR+MF3nUNWPqmO6o4ySrZCO2D6xwthAkqMZoOTA84NP60Ki/2yk36iXSkhx3VSH8qaASDwrzLs/LMifLrxS8mOxmFqO4sh7OQVHc2/ruVR6t7JwDfXHd5rmkYFPqpHtDjNqvYO/iSqOyhuGFUJVEBLUTC/1Uuxu4dFRfpU36uwST79TljQz/LG/n1H85e2MsYMCejHF8JVtdaV9CCCxi5vs9p2bGDtmlssEONohGK9xi5O7c5Z/9fpK+sop3neWFZmaURglPo+Kcjbv1HoXuYN5ZvBxzYFCLyFZifYq+H3Vy+JzLYJ1kb17+NiP1fKNjmWmmOPWVYTd7Ozkm5d+OC011XOVvShN5coFOfqt3FjO3/cuCVgQukeEBS588zTkZPMOQ4kZJnoW05I3xXLkU8FMKhswlHQ6wPI2jzr0FmvY6p7d+I3vonFfnLEMkdX2qOHrps3n5NETmVePrk4AegpPlui2rdUaCtaRRymHaTU7Zw6hXRi+kf/3z064iReUPi8bAcL1+TuHlIF1T/Rs6k4iydm3yo/v9x19dmZdN1BWY7cqIbyDFLzk621sEC2PkSoCHr3uYiO3rPc3gxtvo01ATovy8FnVdYUaK7E/WXE7Ksbx92o1aD+TLWglmirx9kEkkCmtHXike37OCvhYAQ0/y/dPbaq4rNoPSPpE5YQA8Vmg3R7/G5dL5RKTQ6h5m18ouvtW9HAjWq7tkjsd7NsIXy0ijnJJpryN9NwodUbs6rQctHopea5YsVmFtNEILFJWy2y6f2I8+QzQsONoUbp+8u30E4vsUXuUDbb19etBOmCrXGbh1nm+eDJhPeQEzKbBD8TOjUUqypX51+cCeOJHPRgjM0Kima5jU3hoonhzrCCht76ueiOB9VoInZARPIqaIsyRTI/D8YLAh890G4bzRrapObPiAl/VZ+jjXC3MmBk4iBUZl4X2d6woBGi4M5NgCelZV6Ba/0cdTCu2KgC0woQfw9Ep1LEiefklh5pzF8t/zG+KuvYb+62R4G0G/kHMTfy/Lhl8AhEM6z3EsyoGj2mv3LRIipVJYJXSC9/AkRXi+OpwJ12lBVozlSFXw==
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 3b47fc59-12ec-49af-f1ea-08dc518ac835
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Mar 2024 13:59:28.5744 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6LJmtVYtG5WZkQmIIlIRQVIuRwJ+SkjbzkfgCpicsxHKZO/8njqmBmGvVLUVpsLc6z08RFWWKvtONiMC+ojfwFnLsCFY6SdkFS3VG1OKFio=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY8P300MB0103
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/wCiYT7TWp6WdoBO5uV836-WUh5g>
Subject: Re: [saag] RADIUS is deprecating MD5
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2024 13:59:41 -0000

Alan DeKok <aland@deployingradius.com> writes:

>Um... that is very much not what RADIUS is.

I'm not talking about RADIUS as RADIUS, I'm talking about RADIUS as a
substrate for the next half-dozen layers up.  In other words RADIUS is present
purely because the spec says there needs to be something between UDP below and
EAP-over-RADIUS above, which in turn is present purely because the spec says
you need that before you get to one of several types of TLS tunnel carrying
the actual payload you care about, inside the tunnel.

So it doesn't matter if, as used in that situation, RADIUS uses a Fletcher
checksum for "security" or prepends the password to the first packet sent
because it's acting only as a substrate for all the other layers, including
the ones providing the security.  That's the case I mentioned, user =
"anonymous", password = whatever (I've seen things like "anonymous",
"password", "dummy", and others) because RADIUS isn't doing anything except
meeting a requirement that it be present.

>I wouldn't really say there's "nothing worth attacking".

Probably best for another thread, but if there aren't any major attacks
against it occurring, as you mentioned previously, then it seems like
attackers don't consider it worth attacking.  That was the case with DKIM
signing, it wasn't defending against anything that attackers cared about so
none of them bothered exploiting the very weak keys used.

Peter.

v2.23.0 | Report a Bug | By Email