An international group of cybersecurity researchers has developed attack schemewhich allows hacking RADIUS (Remote Authentication Dial-In User Service) – an authentication protocol used in network applications around the world. Its weak point turned out to be its own implementation of the MD5 hash function.
The RADIUS protocol was developed in 1991 by Livingston Enterprises and approved as an official standard by the Internet Engineering Task Force (IETF) in 1997. Since 1994, RADIUS has used its own implementation of the MD5 hash function. This function, created in 1991 and approved by the IETF in 1992, became popular for creating message digests – mechanisms that accept an arbitrary set of data (a number, text, or file) and output a hash sequence 16 bytes long.
It was originally thought that a potential attacker would be unable to find two sets of input data that would produce the same hash. But MD5’s security was found to be insufficient, and the function is more susceptible to collisions than previously thought. In 2004, it was officially confirmed (PDF) Shandong University (China) scientists Xiaoyun Wang and Hongbo Yu; and three years later their theory developed (PDF) In their work, researchers from the Netherlands and Switzerland.
To demonstrate the potentially devastating consequences of their proposed attack, the European researchers used their scheme to create two X.509 cryptographic certificates with the same MD5 signature but different public keys and Distinguished Name field contents. As a result of such a collision, a certificate authority, intending to sign a certificate for one domain, unknowingly signs it for another, malicious one. In 2008, the same scientists created a rogue certificate authority as part of a demonstration – it generated TLS certificates that were trusted by all major browsers. A key component of the attack was the Hashclash application developed by the researchers, which is now publicly available.
New attack scheme Blast-RADIUS (PDF) affects all systems that use the protocol. It relies on a man-in-the-middle (MITM) attack scheme, allowing an attacker to gain administrative access to devices that use RADIUS authentication on a server. Developed in 2008, the attack scheme requires 2,800 core-days of computing power, or the equivalent of a single processor core running for 2,800 days; Blast-RADIUS requires only 39 core-hours. By distributing the load across a cluster of 2,000 processor cores aged between 7 and 10 years and four low-end graphics cards, the researchers reduced the actual attack time to five minutes. After analyzing Amazon EC2 pricing, they found that it was possible to exceed these capacities with resources rented for $50 per hour, and these resources could be further scaled – given that RADIUS-based systems have login timeouts of only 30-60 seconds, the threat seems quite realistic.
The only way to fix the RADIUS vulnerability is to transmit data over secure TLS or DTLS protocols, and the IETF working group is currently updating the specification to take this protection method into account. But a major update of this kind will take a very long time – months or even years. Some RADIUS implementations, including those from Microsoft, still do not support TLS. Therefore, as a temporary solution for environments where RADIUS data must still be transmitted over the open UDP protocol, it is proposed to implement Message-Authenticator attributes based on the HMAC-MD5 packet authentication mechanism – FreeRADIUS, Radiator, Cisco, Microsoft and Nokia have already proposed updates to this effect.
“This measure breaks compatibility with older implementations that may not include Message-Authenticators in requests or responses. However, unlike other options, this is not a fundamental protocol change and can be deployed as a simple update to clients and servers,” the researchers warn. Moreover, if the sender includes Message-Authenticator when sending data, and the receiving party does not require these attributes, the vulnerability remains – the scientists indicated two additional attack scenarios for this scheme.
If you notice an error, select it with your mouse and press CTRL+ENTER.