[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [radext] #86: MD5 Stream Cipher Weaknesses

To: bernard_aboba@hotmail.com
Subject: Re: [radext] #86: MD5 Stream Cipher Weaknesses
From: "radext issue tracker" <trac+radext@zinfandel.tools.ietf.org>
Date: Sat, 12 Mar 2011 22:21:36 -0000
Auto-submitted: auto-generated
Cc: radiusext@ops.ietf.org
In-reply-to: <066.62285455ad08292c0ca0af89a211ff48@trac.tools.ietf.org>
References: <066.62285455ad08292c0ca0af89a211ff48@trac.tools.ietf.org>
Reply-to: radiusext@ops.ietf.org

#86: MD5 Stream Cipher Weaknesses

Changes (by bernard_aboba@â):

  * status:  new => closed
  * resolution:  => fixed


Comment:

 Note that the Access-Request isn't the only RADIUS packet not protected by
 a MIC in the Authenticator field;  Status-Server also isn't protected that
 way.

 The proposed resolution is to change Section 3 to the following:

 3.  The Current State of RADIUS Security

    RADIUS packets, as defined in [RFC2865], are protected by an MD5
    message integrity check (MIC), within the Authenticator field of
    RADIUS packets other than Access-Request [RFC2865] and Status-Server
    [RFC5997].  The Message-Authenticator Attribute utilizes HMAC-MD5 to
    authenticate and integrity protect RADIUS packets.

    While RADIUS does not support confidentiality of entire packets,
    various RADIUS attributes support encrypted (also known as "hidden")
    values, including: User-Password [RFC2865, section 5.2], Tunnel-
    Password [RFC2868, section 3.5], and various Vendor-Specific
    Attributes, such as the MS-MPPE-Send-Key and MS-MPPE-Recv-Key
    attributes defined in [RFC2548, section 2.4].  Generally speaking,
    the hiding mechanism uses a stream cipher based on a key stream from
    an MD5 digest.  Attacks against this mechanism are described in
    [RFC3579] Section 4.3.4.

    Recent work on MD5 collisions does not immediately compromise these
    functions absent knowledge of the RADIUS shared secret.  However, the
    progress toward compromise of MD5's basic cryptographic assumptions
    has resulted in the deprecation of MD5 usage in a variety of
    applications.

 Add the following references to Section 8:

 [RFC2548]  Zorn, G., "Microsoft Vendor-specific RADIUS Attributes", RFC
            2548, March 1999.

 [RFC2868]  Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M.
            and I. Goyret, "RADIUS Attributes for Tunnel Protocol
            Support", RFC 2868, June 2000.

 [RFC5997]  DeKok, A., "Use of Status-Server Packets in the Remote
            Authentication Dialin User Service (RADIUS) Protocol", RFC
            5997, August 2011.

-- 
---------------------------------------+------------------------------------
 Reporter:  bernard_aboba@â            |        Owner:            
     Type:  defect                     |       Status:  closed    
 Priority:  major                      |    Milestone:  milestone1
Component:  Crypto-Agility             |      Version:  1.0       
 Severity:  Active WG Document         |   Resolution:  fixed     
 Keywords:                             |  
---------------------------------------+------------------------------------

Ticket URL: <http://trac.tools.ietf.org/wg/radext/trac/ticket/86#comment:1>
radext <http://tools.ietf.org/radext/>


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- [radext] #86: MD5 Stream Cipher Weaknesses
  - From: "radext issue tracker" <trac+radext@zinfandel.tools.ietf.org>

Prev by Date: BCP 158, RFC 6158 on RADIUS Design Guidelines
Next by Date: Re: [radext] #23: Comments
Previous by thread: [radext] #86: MD5 Stream Cipher Weaknesses
Next by thread: [radext] #87: Guidance on mandatory-to-implement algorithms
Index(es):
- Date
- Thread