International Association
for Cryptologic Research

The RADIUS protocol is the de facto standard lightweight protocol for authentication, authorization, and accounting for networked devices. It is used to support remote access for diverse use cases including network routers, industrial control systems, VPNs, enterprise Wi-Fi including the Eduroam network, Linux Pluggable Authentication Modules, and mobile roaming and Wi-Fi offload. This talk presents the Blast-RADIUS vulnerability which allows a man-in-the-middle attacker to authenticate themselves to a device using RADIUS. Even in 2024, many of the above-mentioned applications still run RADIUS over UDP within an enterprise network (and in some cases even over the public Internet), and are hence affected by this vulnerability. RADIUS has previously escaped the scrutiny of the cryptography community, likely because it is predominately used in enterprise contexts and hidden from end users. Only deployments using the EAP authentication method or the not-yet-standardized RADIUS over TLS are unaffected. In a typical RADIUS deployment, a user sends their credentials to the RADIUS client, which then contacts the RADIUS server that validates the credentials. On success, the RADIUS server sends an Access-Accept packet back to the RADIUS client (e.g., a router), which will then grant the user access. The RADIUS protocol predates modern cryptographic guarantees and is typically unencrypted and unauthenticated. However, the protocol does attempt to authenticate server responses using an ad hoc construction based on the MD5 hash function and a fixed shared secret between a RADIUS client and server. Our attack exploits an MD5 chosen-prefix collision to produce Access-Accept and Access-Reject packets with identical Response Authenticators. This allows our attacker to transform a reject into an accept without knowledge of the shared secret. We show how to fit the collision blocks within RADIUS attributes that will be echoed back from the server. We improved and optimized the MD5 chosen-prefix attack to produce collisions online in less than five minutes (which could be reduced with further engineering efforts). This talk discusses proof of concept applications of our attack against popular RADIUS implementations, and the large-scale disclosure process and mitigation efforts in collaboration with CERT and IETF.

In many applications, it is important to verify that an RSA public key (N, e) specifies a permutation over the entire space $$\mathbb {Z}_N$$ , in order to prevent attacks due to adversarially-generated public keys. We design and implement a simple and efficient noninteractive zero-knowledge protocol (in the random oracle model) for this task. Applications concerned about adversarial key generation can just append our proof to the RSA public key without any other modifications to existing code or cryptographic libraries. Users need only perform a one-time verification of the proof to ensure that raising to the power e is a permutation of the integers modulo N. For typical parameter settings, the proof consists of nine integers modulo N; generating the proof and verifying it both require about nine modular exponentiations.We extend our results beyond RSA keys and also provide efficient noninteractive zero-knowledge proofs for other properties of N, which can be used to certify that N is suitable for the Paillier cryptosystem, is a product of two primes, or is a Blum integer. As compared to the recent work of Auerbach and Poettering (PKC 2018), who provide two-message protocols for similar languages, our protocols are more efficient and do not require interaction, which enables a broader class of applications.