One document matched: draft-ietf-roamops-sec-00.txt
ROAMOPS Working Group Yuan John Jiang
Internet Draft MCI
expires in six months October 1997
Secure Radius Server Operation Guidelines for Dial Roaming
<draft-ietf-roamops-sec-00.txt >
Status of this Memo
This document is an Internet-Draft. Internet-Drafts are
working documents of the Internet Engineering Task Force
(IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use
Internet-Drafts as reference material or to cite them other
than as work in progress.
To learn the current status of any Internet-Draft, please check
the id-abstracts.txt listing contained in the Internet-Drafts
Shadow Directories on ds.internic.net (US East Coast),
ic.nordu.net (Europe), ftp.isi.edu (US West Coast), or
munnari.oz.au (Pacific Rim).
The distribution of this memo is unlimited. It is filed as
<draft-ietf-roamops-sec-00.txt>, and expires in April, 1998.
Please send comments to the author.
Abstract
Authenticating and authorizing roaming dialup users requires
messages to be exchanged among facilities managed by two or
more service providers, and secure operation of the facilities
is of vital importance. This document provides guidelines for
operating such facilities when using the Remote Authentication
Dial In User Service (RADIUS) protocol and the companion
accounting protocol for authentication and accounting message
exchange. 1
Y. J. Jiang [1]
October, 1997
1 Introduction
Internet dial roaming is described in [1] and demonstrated in
[2]. Such a service usually requires that user authentication
messages be exchanged among facilities administrated by
different service providers.
It is common practice to use the RADIUS protocol as defined in
[3] for authentication and the RADIUS accounting protocol [4]
for accounting message exchanges. The protocols have a few
weaknesses, which make roaming services particularly prone to
security risks.
This document does not intend to invent new schemes to overcome
difficulties in secure operation but rather defines good
practices within the limits of the current RADIUS framework.
1.1 Terminology
This document frequently uses the following terms:
Network Access Server (NAS)
A network device that users dial up in order to obtain access
to the network.
RADIUS server
A network component that receives RADIUS or Accounting
Request packets.
Home RADIUS server
A Radius server that verifies a dialup user's identity.
Proxy RADIUS server
An intermediate Radius server between a NAS and a home Radius
server used to relay and modify RADIUS or Accounting packets.
A proxy server acts as a RADIUS client to the downstream
Radius server and a server to an upstream server or a NAS.
1.2 Specification of Requirements
In this document, several words are used to signify the
requirements of the specification. These words are often
capitalized.
MUST This word, or the adjective "required", means that the
definition is an absolute requirement of the specification.
Y. J. Jiang [2]
October, 1997
MUST NOT This phrase means that the definition is an absolute
prohibition of the specification.
SHOULD This word, or the adjective "recommended", means that
there may exist valid reasons in particular circumstances to
this item, but the full implications must be understood and
carefully weighed before choosing a different course.
MAY This word, or the adjective "optional", means that this
item is one of an allowed set of alternatives. An
implementation which does not include this option MUST be
prepared to interoperate with another implementation which
does include the option.
1.3 RADIUS and dial roaming
The primitive use of RADIUS protocol is for the authentication
message exchange between a NAS receiving a user's call and a
Radius authentication server maintaining the user database.
RADIUS
NAS <---------> RADIUS Server
Typically, the NAS sends the server an Access-Request packet
containing the user's username, authentication data and
requested service and resource information, and the server
replies with an Access-Reject or Access-Accept packet
containing the rejection reason or the information on the
service and resources authorized for the user. The accounting
Request and response packets are exchanged in a similar
fashion.
In dial roaming, to authenticate a user, message exchanges are
not limited to one client and one server. At least one proxy
Radius server is involved between the NAS and the home Radius
authentication server containing the user database.
RADIUS RADIUS
NAS <-------> Proxy RADIUS Server <-------> Home RADIUS Server
More complicated operation models described in [2] involve two
or more cascading proxy Radius servers or one RADIUS packet
branched out to two or more Radius servers. For roaming user
authentication, authorization and accounting, the Radius
facilities -- the NASs and the proxy and home Radius servers --
are managed by different service providers, and the RADIUS
packets are transported over the public network beyond the
control of the NAS and the home Radius server operators.
Security risks increase because authentication and accounting
Y. J. Jiang [3]
October, 1997
packets have much higher chance than in a single operator
environment to be captured, modified and injected by
adversaries.
2 Security weaknesses in RADIUS protocol
2.1 Packet integrity and sender identity checking
A Radius client and server maintain between them a shared
secret. If a server can derive from a received packet that the
sender has the correct IP address and knows the shared secret,
it is convinced of the client's identity. The same scheme
applies when a client checks a server's identity from a
response packet received.
RADIUS protocol and the accounting protocol frequently use an
Authenticator field in combination with the shared secret to
check packet integrity and sender identity. For example, the
Authenticator is the MD5 digest of
Accounting-Request Code + Identifier + zero-filled Authenticator
+ Attributes + Shared Secret
for an Accounting-Request packet or
Response Code + Identifier + Request Authenticator + Attributes
+ Shared Secret
for an Access or Accounting Response packet.
RADIUS Access-Request packets, however, contain no packet
integrity checking fields, nor have they sender identity
checking fields unless User-Password attributes are present.
An Authenticator field in an Access-Request packet is a random
number and does not offer any packet integrity checking. A
User-Password attribute is the plain-text user password encoded
with the MD5 digest of the octet stream consisting the shared
secret and the Authenticator.
A home Radius server has the correct user password in its user
database to compare with the one decoded from the User-Password
attribute. When the comparison is successful, it can be sure
of the NAS's identity; otherwise, it cannot tell whether the
sender does not know the shared secret or does not have the
correct user password. Further, the User-Password attribute
does not help at all a proxy server, which does not have the
correct user password at hand, to check the packet sender's
identity.
Y. J. Jiang [4]
October, 1997
2.2 Hop-by-hop vs. end-to-end security
In dial roaming, the packet sender identity and message
integrity checking mechanism used between a client and server
described above is carried over to the checking between the
RADIUS components in every hop. This is considered an
advantage. For example, an intermediate hop may provide some
user services, which require modification of the attributes in
the Access-Request and Access-Accept packets to reflect the
resources requested and the resources authorized according to
the service specifics.
On the other hand, for user authentication, this hop-by-hop
model is considered to be less secure than full end-to-end
authentication if the intermediate hops cannot be fully
trusted. This is the case when an adversary can pose as a
legitimate RADIUS component in the chain of packet passage, or
when some of the intermediate proxy servers may alter the
packet content beyond their business contract or legal
capacities or even inject fraudulent packets in the passage.
The hop-by-hop vs. end-to-end dilemma arises from the facts
that RADIUS protocol is used not only for authentication but
also for resource authorization purposes and that the
intermediate Radius servers in a proxy chain are often needed
to play roles in resource authorization rather than simply for
packet relay.
The attributes a Radius server is interested in depends on the
role it plays. However, a Radius server may play more than one
role, and more than one server may be interested in the same
attributes. Framed-IP-Address attribute in an Access-Accept
packet, for example, is assigned sometimes by the NAS
operator's Radius server and sometimes by the home Radius
server.
2.3 Data confidentiality
RADIUS protocol and the companion accounting protocol have no
attribute information hiding capability except on
authentication credential attributes such as User-Password.
The password hiding in CHAP-Password attribute is inherent from
CHAP, but the password hiding in a User-Password attribute is
limited considering the intermediate RADIUS components not
involved in user authentication can decode the password.
Y. J. Jiang [5]
October, 1997
User password checking is usually the role of the home Radius
server. No intermediate Radius servers should have any
business in the User-Password attribute, but unfortunately they
all can decode and even edit the user password.
The lack of data confidentiality leaves exposed
- dialup users' usage information,
- network operators' facility information, and
- service providers' customer bases.
It puts users' privacy and service providers and operators'
trade secret at risk.
It would be desirable if an attribute could be inspected only
by the designated RADIUS facility.
2.4 Using IPsec
Many have suggested using IPsec to overcome the security
problems with RADIUS and the accounting protocols. This may
help in packet integrity and sender identity checking,
preventing replay attacks and, to some extent, data
confidentiality. However, as a lower layer measure, IPsec
cannot solve the hop-by-hop vs. end-to-end dilemma in the upper
layer and prevent a proxy server from tampering with attributes
beyond its intended scope.
2.5 Attribute level security
The ultimate solution to the hop-by-hop vs. end-to-end dilemma
and the data confidentiality problem lies with attribute level
security, with which an attribute can be inspected and edited
only by the specified Radius servers in the proxy chain.
However, RADIUS, designed as a simple protocol, is not likely
ever to be extended to include attribute level security.
Without attribute level security, the length of a proxy chain
and the complexity of a roaming relation are limited by trust,
and proxy servers should not be used only for packet relay
without any other benefit.
3 Security risks
Because of the above RADIUS protocol weaknesses, the immediate
risks in roaming user authentication are
- theft of user passwords,
Y. J. Jiang [6]
October, 1997
- theft of services,
- denial of services, and
- fraudulent packet injection.
For example, lack of Access-Request packet sender identity
checking unless a User-Password attribute is used gives an
adversary a chance to pose as a legitimate RADIUS client using
IP spoofing techniques. This adversary can take advantage of
lack of message integrity and sender identity checking
- to launch a dictionary attack and obtain a user's CHAP
password,
- to replay a captured Access-Request packet and exhaust the
resources
authorized to a user, or
- to replay captured Access-Request packets and overload the
Radius server.
4 Signature attribute
An Internet Draft [5] has proposed adding a Signature attribute
to overcome the security weakness in checking sender identity
and content integrity of Access-Request packets. The content
of the attribute is an MD-5 [3] digest of the shared secret
followed by the entire Access-Request packet, including the
Code, ID, Length and Authenticator. When the digest is
calculated the signature string is filled with sixteen octets
of zero.
At this writing, a few NAS vendors have planned to implement
this feature in their products. In a roaming relation, the
Signature attribute MUST be used in any Access-Request packet
sent across administrative boundaries. This attribute should
be used even when the packet contains a User-Password
attribute.
A proxy Radius server must strip the Signature attribute, if
present, in an Access-Request packet received from a NAS or an
up-stream Radius server and must add its own Signature
attribute to the packet when sending to the down-stream Radius
server. An Access-Request packet MUST not contain more than
one Signature attribute.
5 Authenticator
The Authenticator field in an Access-Request packet must be
used strictly accordingly to [3]. Otherwise, intercepted
Y. J. Jiang [7]
October, 1997
Access-Request packets can be replayed by an adversary for
denial of service attacks, and intercepted Access-Accept
packets can be used for theft of services.
The RADIUS protocol specification states:
In Access-Request Packets, the Authenticator value is a 16
octet random number, called the Request Authenticator. The
value SHOULD be unpredictable and unique over the lifetime
of a secret (the password shared between the client and the
RADIUS server), since repetition of a request value in
conjunction with the same secret would permit an attacker to
reply with a previously intercepted response. Since it is
expected that the same secret MAY be used to authenticate
with servers in disparate geographic regions, the Request
Authenticator field SHOULD exhibit global and temporal
uniqueness.
The Request Authenticator value in an Access-Request packet
SHOULD also be unpredictable, lest an attacker trick a
server into responding to a predicted future request, and
then use the response to masquerade as that server to a
future Access-Request.
A proxy Radius server typically has many clients and with each
maintains a different shared secret. It is possible that more
than one Accept-Request packet with the same Authenticator
content may come from different clients but destined for the
same down-stream Radius server. Therefor, to maintain the
uniqueness and unpredictable nature of the Authenticator, the
proxy server MUST strip the Authenticator from a received
Access-Request packet and insert its own when forwarding the
packet to the downstream Radius server.
This Authenticator alteration may not be compatible with the
practice of many NASs when authenticating using Challenge
Handshake Authentication Protocol (CHAP). These NASs fill the
Authenticator with the 16-byte CHAP challenges. A Radius
server identifies this situation by the presence of a
CHAP-Password attribute in a received Access-Request packet and
the absence a CHAP-Challenge attribute. In this case, the
proxy Radius server MUST copy the Authenticator to a
CHAP-Challenge attribute and insert its own Authenticator
before forwarding the packet to the down-stream Radius server.
Y. J. Jiang [8]
October, 1997
6 User-Password attribute
In a proxy chain of a roaming authentication, any intermediate
hop can decode the user password contained in a User-Password
attribute. The revelation or editing of the user password by
intermediate parties imposes security risks. Therefore, this
User-Password attribute MAY not be used in roaming user
authentication unless a one-time user password system is used.
This usually means that PAP may not be used.
7 Acknowledgements
The author wishes to thank Cesar Cortes of MCI, Sara Lee of
Concert and Jill Hacker for insightful comments.
8 References
[1] B. Aboba, G. Zorn. "Dialing Roaming Requirements."
Internet draft (work in progress),
draft-ietf-roamops-roamreq-05.txt, Microsoft, July, 1997.
[2] B. Aboba, J. Lu, J. Alsop, J. Ding, W. Wang. "Review of
Roaming Implementations." RFC 2194, Microsoft, Aimnet, i-Pass
Alliance, Asiainfo, Merit, September, 1997.
[3] C. Rigney, A. Rubens, W. Simpson, S. Willens. "Remote
Authenti-cation Dial In User Service (RADIUS)." RFC 2138,
Livingston, Merit, Daydreamer, April, 1997.
[4] C. Rigney. "RADIUS Accounting." RFC 2139, Livingston,
April, 1997.
[5] C. Rigney, W. Willats. "RADIUS Extensions." Internet
draft (work in progress), draft-ietf-radius-ext-00.txt,
Livingston, January, 1997. 9
Author's Addresse
Yuan John Jiang
MCI Internet Engineering
2100 Reston Parkway
Reston, VA 20191
Phone: 703-715-7480
EMail: yjj@mci.net
Y. J. Jiang [9]
| PAFTECH AB 2003-2026 | 2026-04-21 19:13:10 |