Understanding EAP-MD5 Authentication with RADIUS

advertisement
Understanding EAP-MD5 Authentication with RADIUS
Structure of the Document
1. Purpose of the document
2. Introduction
3. RADIUS
4. RADIUS Packet structure
5. EAP
6. EAP Packet structure
7. RADIUS EAP-MD5 authentication Process
8. Drawbacks of EAP-MD5
9. Possible EAP methods which addresses the weakness of EAP-MD5
10. Reference
Section 1:
Purpose of the Document
This document has been compiled as an effort to understand the process of
Authentication involved when using RADIUS with EAP-MD5. The document will look
into the details of the EAP-MD5 authentication process when used with RADIUS. We
shall see how RADIUS protocol can be extended to support third-party authentication
process. We shall also discuss the advantages and disadvantages of the protocol and look
at the alternatives that are available to address the shortcomings of the protocol.
Section 2:
Introduction
RADIUS, also known as Remote Authentication Dial-in User Service is an open standard
for a Remote Access Authentication System. It provides the functionalities of
Authentication, Authorization and Accounting commonly known as “AAA” that is very
much essential in any sort of Access Control environment. Though originally used for the
authentication of remote dial-up clients, and widely supported by almost all NAS devices,
RADIUS authentication can very well be extended to other applications with minimal
effort. Various applications are now coming up with plugin modules to authenticate their
users through a RADIUS Server. This is especially useful in heterogeneous environments
where users have access to so many applications all with different passwords for each of
them. Encouraging a Central Authentication System, which is an Open Standard, and
provides good Network Access Security, not only reduces administrative overhead, but
also helps organizations enforce a strong password policy. Users now shall have a choice
of selecting better passwords, and shall be more comfortable remembering them, without
violating organization policies by writing them down at odd places, which might be
vulnerable to Social Engineering Attacks. With a Central Authentication System in place,
user management becomes much easier and less error-prone. Synchronization of different
password databases is no longer needed, thus reducing the overhead of maintaining
redundant user account databases. RADIUS protocol is also flexible enough to support
other forms of Authentication even though support for these authentication protocols
doesn’t come up with the original distribution.
Though RADIUS by itself does provide very limited authentication methods, the
Extensible Authentication Protocol (EAP), can provide dynamic addition of new
authentication methods into RADIUS. This allows different vendors to introduce their
own proprietary authentication methods into RADIUS. Moreover, the RADIUS protocol
is also capable of supporting different authentication methods out of a single installation
as per the authorization variables of a particular user.
In the following Sections we will look into the process of RADIUS authentication and
how EAP can be used to extend its functionality. We shall also take up EAP-MD5
authentication protocol and look into its intricacies.
Section 3:
RADIUS
The RADIUS is a client-server protocol and software, which is used by NAS devices (or
applications), to authenticate remote users and authorize them to access network
resources. A server running the RADIUS service is commonly known as a RADIUS
server. RADIUS is typically used as a Central Authentication System providing
Authentication, Authorization and Accounting for Remote users. The RADIUS server
communicates on UDP port 1812 for handling Authentication and Authorization
requests, and port 1813 for handling Accounting requests from Clients.
NAS devices or applications, which pass on user authentication requests to RADIUS, are
known as clients of RADIUS. To verify the identity of these clients, RADIUS uses
shared secrets. These shared secrets are commonly used passwords, which are configured
for each client separately in a configuration file on the RADIUS server. Before
processing any requests from the client, a checksum of the packet is verified using the
configured Shared Secret for the client. This is to prevent replay attacks on the RADIUS
Server from unauthorized clients. Typically these Access-Request packets contain user
identification and credentials. The RADIUS server verifies these credentials from its
configured user database and checks to see the users authorization parameters in the
database. If all conditions are successfully satisfied, it sends an Access—Accept with
other configuration parameters for the user; else it sends an Access-Reject and the user is
denied Access.
The RADIUS server might also send back an Access-Challenge packet in reply to an
Access-Request. This is when RADIUS needs more clarification to verify the users
identity. This is typically done when the RADIUS server is configured for
Challenge/Response authentication like CHAP. The Access-Challenge packet contains an
attribute- value pair containing a random series of characters (preferably of 16 octets) as
the challenge value, which the user is expected to encrypt and sent back in a new AccessRequest packet. On receipt of the response to this challenge from the client, the RADIUS
server computes the value of the response independently using the agreed upon algorithm
and a reversibly encrypted shared secret of the user that is stored in the database. If the
RADIUS server arrives at the same value to that supplied in the response, the user is
considered to be valid and thus an Access-Accept is returned back to the client. If the
value doesn’t match, the server sends back an Access-Reject packet and the user is
denied Access.
On receipt of an Access-Accept packet, the NAS may want the RADIUS server to start
accounting for the respective user, and thus sends an Accounting Request packet to the
server. The RADIUS server in turn starts accounting for this user, either by
communicating with an external billing system or by maintaining appropriate information
in its own log files. It also sends back an Accounting-Response packet back to the client.
On the event of user closing a connection or getting disconnected by any other means the
NAS sends an Accounting-Request packet to the RADIUS server requesting it to stop
accounting for the respective user. The RADIUS then stops the accounting process for
the user at this point and sends back an Accounting-Response packet back to the NAS.
These two types of Accounting Request packets are sometimes known as Accounting
start bit and Accounting stop bits respectively.
Section 4:
RADIUS Packet Structure
Now having seen how a RADIUS authentication process works, let us try to find out a bit
more about the RADIUS packet structure. A typical RADIUS packet consists of a fixed
length RADIUS header of 20 bytes, and a variable length attribute-value pairs.
RADIUS Packet Header
The following fields are defined in the RADIUS header.
Code 1 Byte
The code defines the type of RADIUS packet. There can be the following types of code.
1
Access-Request
2
Access-Accept
3
Access-Reject
4
Accounting-Request
5
Accounting-Response
11
Access-Challenge
12
Status-Server (experimental)
13
Status-Client(experimental)
255
Experimental
Identifier
1 Byte
The identifier field is used to match requests and replies
Length
2 bytes
The length field denotes the size of the total RADIUS packet including the RADIUS
header and all the Attribute value pairs.
Authenticator
16 Bytes
The Authenticator field is used as a Checksum of the whole packet.
Attribute – Value Pairs
A single attribute value pair consists of three fields.
Type
1 Byte
This field specifies the code of a particular attribute. For example ‘1’ represents
‘username’.
Length
1 Byte
This field defines the Length of an attribute including Type, Length and Value. So the
size of the value field + 2 gives the value of the length field.
Value
Value of Length field – 2
Contains the value of the Attribute
Section 5:
Extensible Authentication Protocol
The EAP protocol was originally designed to provide a standard interface for additional
authentication options within PPP. Thus to provide the same support for EAP within the
RADIUS protocol, two new attributes were designed, the EAP Message attribute and
Message Authenticator (previously known as ‘Signature’). The EAP related information
is encapsulated within the value part of the EAP Message attribute and transmitted in a
RADIUS packet. The Message-Authenticator is a checksum to verify the integrity of
such a RADIUS packet. The Message-Authenticator attribute is mandatory within a
RADIUS packet if it contains a EAP-Message attribute.
By encapsulating the total EAP-Message in one or more EAP-Message attributes of a
RADIUS packet, any authentication method can be used except for the ones supported by
the original protocol. This gives the flexibility of RADIUS supporting arbitrary (and
possibly strong), authentication mechanisms without the need to know the intricacies of
each authentication mechanisms. Of course, the RADIUS server might have to depend on
third party software to interpret the proprietary authentication algorithms. But then again,
this has a considerable advantage since only a part of the code needs a change (if
needed), and not all entities in an Authentication chain.
Section 6:
EAP Packet Structure
Like any other Attribute – Value pair of a RADIUS packet, the EAP-Message attribute
can also be broken down into three parts. –



The type having a code of 79 signifying the EAP message,
The Length, and
The Value.
However, the Value actually contains the EAP-Message details and can be broken down
into the following parts.
Code 1 Byte
Identifies the type of EAP-Packet. The following types are defined for an EAP-Message
1.
Request
2.
Response
3.
Success
4.
Failure
Identifier
1 Byte
Matches response with requests
Length
2 Bytes
Indicates the length of the total EAP-Packet. This includes Code, id, length, type and
type-data.
Type
1 Byte
Defines the type of Authentication protocol in use. The following are the few common
types
1.
Identity
2.
Notification
3.
NAK
4.
MD5-Challenge
5.
One Time password
6.
Generic Token Card
Type-Data
variable Length (Length - 5)
This depends on the Authentication protocol being used.
Section 7:
RADIUS EAP-MD5 Authentication process
Now that we have understood RADIUS and EAP protocols, let us find out how the EAPMD5 authentication protocol works. The major steps are described in the following flowchart. We shall be taking each step and try to analyze the events that are taking place.
1
NAS
PPP LCP Phase attempts EAP
Authentication
2
Dial-Up Client
EAP negotiation
complete. Sends
LCP/ACK to NAS
3
NAS
EAP identity Request issued.
4
Dial-Up Client
EAP Identity response
generated.
5
NAS
RADIUS Access-Request packet
generated with encapsulated EAP
identity response received from
client.
8
Dial-Up Client
Response to the
Challenge generated
using MD5 of EAPMessage ID + Challenge
+ Password. The EAP
MD5 Challenge response
packet is sent to NAS.
7
NAS
PPP EAP MD5 Challenge request
sent to client.
13
Dial-Up Client
PPP Authentication phase
completed and client is
given Access to the
remote network.
16
Dial-Up Client
PPP Authentication phase
completed and client is
denied Access.
9
NAS
RADIUS Access-Request issued
encapsulating the EAP MD5
Challenge Response received
from client.
12
NAS
PPP EAP-Success packet is issued
and client is given Access.
15
NAS
PPP EAP-Failure packet is issued
and client denied Access.
6
RADIUS
User identity verified and
authorization parameters checked.
Access-Challenge packet is
generated encapsulating an EAP
MD5 Challenge request.
10
RADIUS
Response to the Challenge is
verified.
11
RADIUS
Access-Accept packet
encapsulated with EAPSuccess is issued if
Verification is successful.
14
RADIUS
Access-Reject packet
encapsulated with EAPFailure is issued if Verification
fails.
1. When a user dials up a remote connection to a NAS server, PPP negotiation takes
place. Amongst other things, Authentication protocol is negotiated. In this case
the EAP method shall be negotiated at this phase.
2. The client acknowledges the use of EAP authentication method to the NAS
Server.
3. The NAS server now issues an EAP Identity request back to the client asking the
user to identify himself. This is done by assigning an EAP Message ID to the
request and by setting the code field to ‘1’indicating a request packet. The length
field contains the total length of the EAP packet and the Type field has a value of
‘1’ indicating the EAP-Message type ‘identity’.
4. The client on receiving this packet issues a response to the EAP identity request.
a. It sets the code field to ‘2’ indicating it as a response.
b. The ID field contains the same identity as was sent from the NAS, which
will enable it to match the response to the request it had sent earlier.
c. The Length field has a value of the total length of the EAP packet.
d. The type field is ‘1’ indicating it as an ‘identity’ type.
e. The Type-data contains the name of the user. This packet is then sent back
to the NAS server.
5. On receipt of this Packet, the NAS server creates an Access-Request packet for
the RADIUS server.
a. The code field of this RADIUS packet is set to ‘1’ indicating an AccessRequest.
b. The ID field contains a sequenced number to identify future
correspondence of this request with RADIUS.
c. The total length of the packet including header and attributes is appended.
d. The Request Authenticator field is calculated on the whole RADIUS
packet using the shared secret of the NAS and the RADIUS server. This
value is then inserted into the packet.
e. Other attributes as relevant to the request (for e.g. Framed Protocol, NAS
IP-Address etc.) are inserted in the packet.
f. The two most important attributes i.e. the EAP-Message and Message
Authenticator are also added to this packet.
g. The EAP-Message attribute has a code of 79, and the value contains the
EAP identity response packet which was received from the client.
h. The Message Authenticator is calculated as an HMAC MD5 of the whole
packet using the shared secret as the key. This is inserted into the value
portion of the Message Authenticator attribute.
Once this packet is created it is then transmitted on the Destination UDP port
1812 of the configured RADIUS server.
6. The RADIUS server first checks the request authenticator field to verify that the
packet has come from an authentic NAS device. If EAP conversation is detected,
the Message Authenticator is also checked. If both the checks are found to be
correct, the user identity is extracted from the EAP – Message attribute and
processed for authorization checks. If the authorization check returns true, an
MD5 challenge is generated for this request. An EAP packet structure is created
with the following structure:
a. A code value of ‘1’ indicating it as a Request
b. An ID field which is usually the value of response ID + 1
c. Length field indicating the total length of the EAP Message,
d. A type code field of 4 indicating an MD5 Challenge
e. Type–data field containing the challenge value.
This packet is then assigned into the value part of the EAP – Message attribute
and encapsulated in an Access-Challenge packet. The code of the AccessChallenge packet is ‘11’ and the packet ID is that of the request this challenge is
in reply to. This packet is then be sent back to the NAS server.
7. The NAS server on receipt of this packet checks the Response – Authenticator
and the Message – Authenticator fields to determine the authenticity and integrity
of the packet. After this it extracts the EAP message value and crafts an EAP
Challenge packet of type MD5 Challenge and sends it back to the Client.
8. On receiving this packet the client extracts the value of the Challenge and the ID
of the EAP message. It then calculates the response value of this challenge by
performing an MD5 hash of the following: EAP-Message Id + User Password +
the Challenge value. This is inserteds into an EAP Message of type 4, ID as that
of the request and code ‘2’ indicating a response EAP packet of type MD5
challenge. The packet is again transmitted back to the NAS server.
9. The NAS server forwards this EAP response packet by encapsulating it in an
Access-Request Packet to the RADIUS server.
10. The radius server verifies the Message-Authenticator and the RequestAuthenticator values to check the authenticity and integrity of the packet.It then
extract the Challenge/Response value from the EAP-Message attribute. The
response to the challenge is identified by matching the EAP Message ID which
was issued at the time of generating the Access-Challenge packet. The server now
performs a similar MD5 hash of the EAP-Message id + challenge issued + user
password from the user database.
11. If both the Values match, an Access-Accept packet with other configuration
parameters and an EAP Message attribute of type EAP – Success is created and
sent to the NAS.
12. The NAS in turn performs the usual checks on the Request–Authenticator and the
Message-Authenticator attributes and on success forwards the EAP-Success
message to the client.
13. The Client at this point is connected to the remote network or further negotiations
on Network Core Protocol (NCP) layer might take place.
14. If both the Values do not match, an Access-Reject packet with an EAP Message
attribute of type EAP-Failure is created and sent to the NAS.
15. The NAS in turn performs the usual checks on Request–Authenticator and
Message Authenticator attributes and on success forwards the EAP-Failure
message to the client.
16. The Client at this point is denied access to the remote network and a suitable
message describing the error is displayed to the user as per the error code returned
by NAS.
Section 8: Drawbacks of EAP-MD5
EAP-MD5 Authentication protocol closely resembles the PPP-CHAP protocol. When
used with RADIUS, it provides a limited protection against replay attacks and does not
send clear text passwords over the transmitting media. However a lot of other
disadvantages do exist. While EAP-MD5 might be considered as an authentication
protocol over non-promiscuous channel, like dial-up access, other forms of utilization do
impose a considerable amount of risk in exposing user credentials. Here are some of the
issues we should consider before using EAP-MD5.
1. No mutual Authentication
2. No Protection against offline brute-force/Dictionary based attacks on user
passwords.
3. User passwords need to be stored in clear or reversibly encrypted format.
4.
5.
6.
7.
8.
Vulnerable to Man-in-the-middle attacks
In case of large installations, management of shared secrets becomes an overhead.
No Integrity protection
Minimum protection against replay attacks.
No support for Confidentiality
Section 9: Possible EAP methods which addresses the weakness of EAP-MD5
EAP-MD5 is a legacy authentication protocol for PPP based systems. Though it is
convenient for the user and provides better security than PAP, the number of
disadvantages it has in the present computing environment outnumber its advantages. It is
highly desirable to move onto stronger authentication techniques to address the
drawbacks of this protocol as described in the previous section. Certificate based
authentication is highly desirable in vulnerable remote access environments, dealing with
sensitive user identities. EAP-TLS, EAP-PEAP, EAP-TTLS, Cisco-LEAP etc, are the
protocols which offer much better security than the legacy EAP-MD5. A thorough
discussion of these protocols is outside the scope of this document. Please refer to the
corresponding RFC’s for further discussion on these protocols.
Section 10: References
1.
2.
3.
4.
RFC 2284 - PPP Extensible Authentication Protocol (EAP)
RFC 2865 – Remote Authentication Dial-In User Service (RADIUS)
RFC 2869 – RADIUS Extensions
RFC 1994 – PPP Challenge Handshake Authentication Protocol (CHAP)
Compiled By:
Sudipto Chakraborty
ISmart International Limited
Download