RADIUS Shared Secret Security Amplification A practical approach to improved security

1. RADIUS Shared Secret Security Amplification A practical approach to improved security http://www.funk.com/documents/draft-funk-radiusext-shared-secret-amp-00.txt Paul Funk Funk Software

2. Shared Secret Question • Is RADIUS encryption/validation good enough? • Primary threat is dictionary attack • Attacker must have layer 2 traffic visibility • In theory: • Yes, if you use a strong shared secret • More so if you use IPsec • Proper network hygiene helps • In practice: • Security police cannot force strong shared secrets to be used • IPsec introduces its own kind of nightmare

3. Make It Easier For Administrators • Use PKCS-5 to convert ordinary secrets to strong ones: • Start with “precursor” secret • “Amplify” its security by repeated PKCS-5 hashing • Precursor secret can be administrator-friendly: • Can be remembered • Doesn’t need to be written down • Amplified shared secret: • Is much more resistant to dictionary attack • Can be generated via simple utility (need not be built in to RADIUS clients and servers) • Can be configured into existing RADIUS equipment by copy-and-paste • Can be regenerated as needed from precursor

4. Amplification Process • PKCS-5 is used to amplify the precursor: • Hash the precursor secret 1,048,576 times (2 ^ 20) • Output 12 octets of pseudo-random data • Base64-encode into 16 ASCII characters • Example: • If precursor secret is “swordfish” … • Amplified shared secret is “g6QvQuRgRsl1AQ/E” • Try demo at: • http://www.funk.com/PasswordAmplifier

5. Using a Salt For Increased Security • Optional “salt” improves security flavor: • The salt is just an additional piece of text • It is mixed with precursor during hashing • Salt ensures entropy meets minimum requirements, even with weak precursor secrets • Deployment • Administrator defines domain-wide salt • technicians pick precursors to generate shared secrets as needed

6. Security Analysis • Equivalent to adding 20 bits of entropy to password • Ordinary dictionary attack against precursor: • Takes a million times longer • Attacker must perform a million hashes for each candidate precursor • Attack that might have taken an hour now takes over a hundred years • Equivalent to adding 20 bits of entropy to password • Dictionary attack directly against the amplified shared secret: • Infeasible, as it has 96 bits of apparent entropy • Precomputed dictionary attack: • Attacker computes many amplified shared secrets from precursors and stores them on CD-ROM • Uses CD-ROM in dictionary attack • Once CD-ROM is developed, dictionary attack against amplified secret is equivalent to attack against precursor • However, it will take decades to create CD-ROM • And storage capacity needs to run in the terabytes.

7. Recommendations • Ordinary text is estimated at 2.5 bits of entropy per character: • 12 character secret has 30 bits of entropy • 16 character secret has 40 bits of entropy • Suggest precursors of at least 12, preferable 16 characters: • 12 character secret has 50 bits of entropy after amplification • 16 character secret has 60 bits of entropy after amplification