Hello, I used wireshark to sniff communication between my radisu server and the user-password attribute is encrypted 0000 3e ca 2d b0 97 2b b3 f9 0c e9 fc e7 e0 ed e9 fd to test if this is strong enough I wanted to ask if there is a way to decrypt this user-password attribute since my radisu server is doign proxy to other radius server. actually my radius server is authenticating a WiFi captive portal and is prosying requests upon username@domainname user attributes are stripped from domain and sent to proper radius server my question is how much is risky to have user-passsword attribute travellign across the network ? is the encryption applyed to the user-password strong enough ? thanks Rick
The User-Password value is a MD5 chained pad based on the shared secret and packet authenticator. The password is XOR'd over the pad and this is chained to the next pad. The process is reversible. Essentially this is as close to a perfect encryption scheme as you can get - entirely depending on the cryptographic strength of the authenticator's randomness, the shared secret, and the MD5 message digest algorithm. It's probably good enough depending on who's snooping. Computer randomness is not great, the MD5 algorithm has collisions, and your shared secret could be poor or compromised. Riccardo Veraldi wrote:
Hello, I used wireshark to sniff communication between my radisu server and the user-password attribute is encrypted
0000 3e ca 2d b0 97 2b b3 f9 0c e9 fc e7 e0 ed e9 fd
to test if this is strong enough I wanted to ask if there is a way to decrypt this user-password attribute since my radisu server is doign proxy to other radius server.
actually my radius server is authenticating a WiFi captive portal and is prosying requests upon username@domainname
user attributes are stripped from domain and sent to proper radius server
my question is how much is risky to have user-passsword attribute travellign across the network ? is the encryption applyed to the user-password strong enough ?
thanks
Rick
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Riccardo Veraldi wrote:
I used wireshark to sniff communication between my radisu server and the user-password attribute is encrypted
Yes... go read the RFC's. This is what's supposed to happen. We're already aware of it.
to test if this is strong enough I wanted to ask if there is a way to decrypt this user-password attribute since my radisu server is doign proxy to other radius server.
Huh? If you have a shared secret with the NAS, the proxy will automatically decrypt it. There's nothing more that you need to do.
my question is how much is risky to have user-passsword attribute travellign across the network ? is the encryption applyed to the user-password strong enough ?
It's good enough for most people. Alan DeKok.
Am 29.04.2008 um 14:54 schrieb Riccardo Veraldi:
Hello, I used wireshark to sniff communication between my radisu server and the user-password attribute is encrypted
0000 3e ca 2d b0 97 2b b3 f9 0c e9 fc e7 e0 ed e9 fd
to test if this is strong enough I wanted to ask if there is a way to decrypt this user-password attribute since my radisu server is doign proxy to other radius server.
actually my radius server is authenticating a WiFi captive portal and is prosying requests upon username@domainname
user attributes are stripped from domain and sent to proper radius server
my question is how much is risky to have user-passsword attribute travellign across the network ? is the encryption applyed to the user-password strong enough ?
I do not know the particular protocol that you are using, but, as far as I know, mostly if the password is not transported as clear text, it is transpotred as hash, see for example: http://en.wikipedia.org/wiki/Cryptographic_hash_function (As the above dump shows 16 bytes, it could be MD5. If it is, see for example: http://en.wikipedia.org/wiki/Md5 )
thanks
Rick
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
Riccardo Veraldi wrote:
Hello, I used wireshark to sniff communication between my radisu server and the user-password attribute is encrypted
0000 3e ca 2d b0 97 2b b3 f9 0c e9 fc e7 e0 ed e9 fd
to test if this is strong enough I wanted to ask if there is a way to decrypt this user-password attribute since my radisu server is doign proxy to other radius server.
actually my radius server is authenticating a WiFi captive portal and is prosying requests upon username@domainname
user attributes are stripped from domain and sent to proper radius server
my question is how much is risky to have user-passsword attribute travellign across the network ? is the encryption applyed to the user-password strong enough ?
Some analysis in the document cited below, I can't comment on the quality of the analysis or it's conclusions, perhaps others might. An Analysis of the RADIUS Authentication Protocol http://www.untruth.org/~josh/security/radius/radius-auth.html -- John Dennis <jdennis@redhat.com>
participants (5)
-
Alan DeKok -
John Dennis -
Michael Lecuyer -
Nicolas Goutte -
Riccardo Veraldi