International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Dan Shumow

Publications and invited talks

Year
Venue
Title
2025
RWC
Blast-RADIUS: breaking enterprise network authentication
The RADIUS protocol is the de facto standard lightweight protocol for authentication, authorization, and accounting for networked devices. It is used to support remote access for diverse use cases including network routers, industrial control systems, VPNs, enterprise Wi-Fi including the Eduroam network, Linux Pluggable Authentication Modules, and mobile roaming and Wi-Fi offload. This talk presents the Blast-RADIUS vulnerability which allows a man-in-the-middle attacker to authenticate themselves to a device using RADIUS. Even in 2024, many of the above-mentioned applications still run RADIUS over UDP within an enterprise network (and in some cases even over the public Internet), and are hence affected by this vulnerability. RADIUS has previously escaped the scrutiny of the cryptography community, likely because it is predominately used in enterprise contexts and hidden from end users. Only deployments using the EAP authentication method or the not-yet-standardized RADIUS over TLS are unaffected. In a typical RADIUS deployment, a user sends their credentials to the RADIUS client, which then contacts the RADIUS server that validates the credentials. On success, the RADIUS server sends an Access-Accept packet back to the RADIUS client (e.g., a router), which will then grant the user access. The RADIUS protocol predates modern cryptographic guarantees and is typically unencrypted and unauthenticated. However, the protocol does attempt to authenticate server responses using an ad hoc construction based on the MD5 hash function and a fixed shared secret between a RADIUS client and server. Our attack exploits an MD5 chosen-prefix collision to produce Access-Accept and Access-Reject packets with identical Response Authenticators. This allows our attacker to transform a reject into an accept without knowledge of the shared secret. We show how to fit the collision blocks within RADIUS attributes that will be echoed back from the server. We improved and optimized the MD5 chosen-prefix attack to produce collisions online in less than five minutes (which could be reduced with further engineering efforts). This talk discusses proof of concept applications of our attack against popular RADIUS implementations, and the large-scale disclosure process and mitigation efforts in collaboration with CERT and IETF.
2019
EUROCRYPT
An Analysis of NIST SP 800-90A 📺
Joanne Woodage Dan Shumow
We investigate the security properties of the three deterministic random bit generator (DRBG) mechanisms in NIST SP 800-90A [2]. The standard received considerable negative attention due to the controversy surrounding the now retracted $$\mathsf{{DualEC\text {-}DRBG}}$$DualEC-DRBG, which appeared in earlier versions. Perhaps because of the attention paid to the DualEC, the other algorithms in the standard have received surprisingly patchy analysis to date, despite widespread deployment. This paper addresses a number of these gaps in analysis, with a particular focus on $$\mathsf{{HASH\text {-}DRBG}}$$HASH-DRBG and $$\mathsf{{HMAC\text {-}DRBG}}$$HMAC-DRBG. We uncover a mix of positive and less positive results. On the positive side, we prove (with a caveat) the robustness [13] of $$\mathsf{{HASH\text {-}DRBG}}$$HASH-DRBG and $$\mathsf{{HMAC\text {-}DRBG}}$$HMAC-DRBG in the random oracle model (ROM). Regarding the caveat, we show that if an optional input is omitted, then – contrary to claims in the standard—$$\mathsf{{HMAC\text {-}DRBG}}$$HMAC-DRBG does not even achieve the (weaker) property of forward security. We then conduct a more informal and practice-oriented exploration of flexibility in the standard. Specifically, we argue that these DRBGs have the property that partial state leakage may lead security to break down in unexpected ways. We highlight implementation choices allowed by the overly flexible standard that exacerbate both the likelihood, and impact, of such attacks. While our attacks are theoretical, an analysis of two open source implementations of $$\mathsf{{CTR\text {-}DRBG}}$$CTR-DRBG shows that these potentially problematic implementation choices are made in the real world.