Matthew GreenJul 9, 2024
Very sophisticated attack against the RADIUS protocol that uses flaws in the protocol as well as a novel variant of the MD5 chosen prefix collision. Cryptography from the 90s never goes away! https://www.blastradius.fail/attack-details
BLAST RADIUS

Show threadMatthew GreenJul 9, 2024

I was under the impression that RADIUS was some ancient protocol nobody used anymore (I remember it being big in the 90s dialup ISP infrastructure.) But of course it never went away and now it’s deployed for all sorts of decentralized auth: think VPNs and WiFi.

So like all 90s crypto it doesn’t use modern cryptographic methods (which in fairness, barely exists.) Authentication is done with a challenge/response protocol that builds a “MAC” in some ad-hoc way using MD5. An MITM attacker between client and server can forge this.

Show threadMatthew GreenJul 9, 2024
Anyway: the important story here is not just the cool attack, but the fact that it really, really matters. How do you fix a protocol that’s fundamentally broken but that secures huge (and surprising) amounts of infrastructure, when most experts have forgotten it exists?
Show threadSteve SyfuhsJul 9, 2024
@matthew_d_green I can say with certainty as the idiot that said "yes I can kill NTLM" that there is no way you fix the old protocols. You kill the protocols with fire.
Show threadtimJul 9, 2024

@SteveSyfuhs @matthew_d_green RADIUS is a lot like HTTP.

It has secure transports (RADIUS/TLS aka RadSec), it offers user authentication directly which you shouldn't use anymore, and it can also encapsulate other secure authentication protocols (aka EAP).

There is nothing wrong with RADIUS/TLS (or /DTLS) + EAP, and it will continue to be used for decades to come.

Show threadSteve Syfuhs
@timcappalli @matthew_d_green I don't believe the TLS form is ratified in a spec. There are also a bunch of EAP forms by vendor and it's unclear if all of them are unaffected or just some of them. They all have different message encapsulations on the wire.
Jul 9, 2024 at 10:37pmWeb
Show threadtimJul 9, 2024

@SteveSyfuhs @matthew_d_green there should be no TLS-based EAP methods affected by this (and those are the only ones that should be used).

Also, RADIUS/TLS has been standardized since 2012 (sure it's experimental status still, but it is widely implemented and proven interoperable).

Show threadChristoph PetrauschJul 10, 2024
@timcappalli @SteveSyfuhs @matthew_d_green then maybe lift it from.the experimental state after 12 years?
Show threadtimJul 10, 2024
@hikhvar @SteveSyfuhs @matthew_d_green it would have little to no real impact at this point. It is widely deployed.
Show threadChrISSPJul 10, 2024
@timcappalli @SteveSyfuhs @matthew_d_green Are you sure about that? Paper seems more dubious: "The TLS in EAP-TLS protects the EAP traffic but not the RADIUS packets that carry the EAP traffic, which are still transmitted over UDP in the clear. In theory, depending on implementation decisions made by the RADIUS client and server, our attack could work against RADIUS even when clients use EAP-TLS for authentication." Sure, if you're using RADSEC then you're fine but most orgs I know are using EAP-TLS or some variant (EAP-TTLS, EAP-TEAP etc) over standard RADIUS and that's a concern.