Matthew GreenJul 9, 2024
Very sophisticated attack against the RADIUS protocol that uses flaws in the protocol as well as a novel variant of the MD5 chosen prefix collision. Cryptography from the 90s never goes away! https://www.blastradius.fail/attack-details
BLAST RADIUS

Show threadMatthew GreenJul 9, 2024

I was under the impression that RADIUS was some ancient protocol nobody used anymore (I remember it being big in the 90s dialup ISP infrastructure.) But of course it never went away and now it’s deployed for all sorts of decentralized auth: think VPNs and WiFi.

So like all 90s crypto it doesn’t use modern cryptographic methods (which in fairness, barely exists.) Authentication is done with a challenge/response protocol that builds a “MAC” in some ad-hoc way using MD5. An MITM attacker between client and server can forge this.

Show threadMatthew GreenJul 9, 2024
Anyway: the important story here is not just the cool attack, but the fact that it really, really matters. How do you fix a protocol that’s fundamentally broken but that secures huge (and surprising) amounts of infrastructure, when most experts have forgotten it exists?
Show threadSteve SyfuhsJul 9, 2024
@matthew_d_green I can say with certainty as the idiot that said "yes I can kill NTLM" that there is no way you fix the old protocols. You kill the protocols with fire.
Show threadJoshua SmallJul 9, 2024
@SteveSyfuhs @matthew_d_green Ironically the only thing that still breaks out of the box if you disable NTLMv1 on a domain is Microsoft NPS doing RADIUS.
Show threadSteve Syfuhs
@jsmall @matthew_d_green that's not strictly true. It breaks MSCHAP usage. NPS will still use certificates for RADIUS auth just fine.
Jul 9, 2024 at 11:47pmWeb
Show threadJoshua SmallJul 9, 2024
@SteveSyfuhs @matthew_d_green Well yep, that's the use case I was meaning.