RADIUS Shared Secret Security Amplification

A practical approach to improved security

http://www.funk.com/documents/draft-funk-radiusext-shared-secret-amp-00.txt

Paul FunkFunk Software

Shared Secret Question

• Is RADIUS encryption/validation good enough?– Primary threat is dictionary attack– Attacker must have layer 2 traffic visibility

• In theory:– Yes, if you use a strong shared secret– More so if you use IPsec– Proper network hygiene helps

• In practice:– Security police cannot force strong shared secrets to

be used– IPsec introduces its own kind of nightmare

Make It Easier For Administrators

• Use PKCS-5 to convert ordinary secrets to strong ones:– Start with “precursor” secret– “Amplify” its security by repeated PKCS-5 hashing

• Precursor secret can be administrator-friendly:– Can be remembered– Doesn’t need to be written down

• Amplified shared secret:– Is much more resistant to dictionary attack– Can be generated via simple utility (need not be built in to

RADIUS clients and servers)– Can be configured into existing RADIUS equipment by copy-

and-paste– Can be regenerated as needed from precursor

Amplification Process

• PKCS-5 is used to amplify the precursor:– Hash the precursor secret 1,048,576 times (2 ^ 20)– Output 12 octets of pseudo-random data– Base64-encode into 16 ASCII characters

• Example:– If precursor secret is “swordfish” …– Amplified shared secret is “g6QvQuRgRsl1AQ/E”

• Try demo at:– http://www.funk.com/PasswordAmplifier

Using a Salt For Increased Security

• Optional “salt” improves security flavor:– The salt is just an additional piece of text– It is mixed with precursor during hashing– Salt ensures entropy meets minimum requirements,

even with weak precursor secrets

• Deployment– Administrator defines domain-wide salt– technicians pick precursors to generate shared

secrets as needed

Security Analysis• Equivalent to adding 20 bits of entropy to password• Ordinary dictionary attack against precursor:

– Takes a million times longer• Attacker must perform a million hashes for each candidate precursor• Attack that might have taken an hour now takes over a hundred years

– Equivalent to adding 20 bits of entropy to password• Dictionary attack directly against the amplified shared secret:

– Infeasible, as it has 96 bits of apparent entropy• Precomputed dictionary attack:

– Attacker computes many amplified shared secrets from precursors and stores them on CD-ROM

– Uses CD-ROM in dictionary attack– Once CD-ROM is developed, dictionary attack against amplified secret

is equivalent to attack against precursor– However, it will take decades to create CD-ROM– And storage capacity needs to run in the terabytes.

Recommendations

• Ordinary text is estimated at 2.5 bits of entropy per character:– 12 character secret has 30 bits of entropy– 16 character secret has 40 bits of entropy

• Suggest precursors of at least 12, preferable 16 characters:– 12 character secret has 50 bits of entropy after

amplification– 16 character secret has 60 bits of entropy after

amplification