CryptoDB
Blast-RADIUS: breaking enterprise network authentication
| Authors: | |
|---|---|
| Download: | |
| Presentation: | Slides |
| Abstract: | The RADIUS protocol is the de facto standard lightweight protocol for authentication, authorization, and accounting for networked devices. It is used to support remote access for diverse use cases including network routers, industrial control systems, VPNs, enterprise Wi-Fi including the Eduroam network, Linux Pluggable Authentication Modules, and mobile roaming and Wi-Fi offload. This talk presents the Blast-RADIUS vulnerability which allows a man-in-the-middle attacker to authenticate themselves to a device using RADIUS. Even in 2024, many of the above-mentioned applications still run RADIUS over UDP within an enterprise network (and in some cases even over the public Internet), and are hence affected by this vulnerability. RADIUS has previously escaped the scrutiny of the cryptography community, likely because it is predominately used in enterprise contexts and hidden from end users. Only deployments using the EAP authentication method or the not-yet-standardized RADIUS over TLS are unaffected. In a typical RADIUS deployment, a user sends their credentials to the RADIUS client, which then contacts the RADIUS server that validates the credentials. On success, the RADIUS server sends an Access-Accept packet back to the RADIUS client (e.g., a router), which will then grant the user access. The RADIUS protocol predates modern cryptographic guarantees and is typically unencrypted and unauthenticated. However, the protocol does attempt to authenticate server responses using an ad hoc construction based on the MD5 hash function and a fixed shared secret between a RADIUS client and server. Our attack exploits an MD5 chosen-prefix collision to produce Access-Accept and Access-Reject packets with identical Response Authenticators. This allows our attacker to transform a reject into an accept without knowledge of the shared secret. We show how to fit the collision blocks within RADIUS attributes that will be echoed back from the server. We improved and optimized the MD5 chosen-prefix attack to produce collisions online in less than five minutes (which could be reduced with further engineering efforts). This talk discusses proof of concept applications of our attack against popular RADIUS implementations, and the large-scale disclosure process and mitigation efforts in collaboration with CERT and IETF. |
| Video: | https://youtu.be/IgyK9QYRQMI |
BibTeX
@misc{rwc-2025-35859,
title={Blast-RADIUS: breaking enterprise network authentication},
note={Video at \url{https://youtu.be/IgyK9QYRQMI}},
howpublished={Talk given at RWC 2025},
author={Sharon Goldberg and Miro Haller and Nadia Heninger and Mike Milano and Dan Shumow and Marc Stevens and Adam Suhl},
year=2025
}