Engi n ee r i ng - Er i c Gav al d o
6 /8 /20 02
Engi n ee r i ng - Er i c Gav al d o
6 /8 /20 02
CONTENTS
SALT Encryption
1.
INTRODUCTION ...........................................................................................................................................................................3 1.1 INTRODUCTION TO RADIUS ......................................................................................................................................................3 1.1.1 Radius Frame Format .......................................................................................................................................................3 1.1.2 Different type of Radius Packet .........................................................................................................................................3 1.2 INTRODUCTION TO SALT ...........................................................................................................................................................3
Issue:
2.
0.1
Author:
Eric Gavaldo
Date:
8 June, 2002
Location:
\
DESCRIPTION OF THE ALGORITHM.....................................................................................................................................4 2.1 NECESSARY COMPONENTS ..........................................................................................................................................................4 2.2 FORMAT OF THE RADIUS ATTRIBUTES......................................................................................................................................4 2.2.1 Standard Attributes............................................................................................................................................................4 2.2.2 Vendor-Specific Attributes.................................................................................................................................................5 2.2.3 Fields Details.....................................................................................................................................................................5 2.2.3.1 2.2.3.2 2.2.3.3 2.2.3.4
Type ........................................................................................................................................................................................ 5 Length ..................................................................................................................................................................................... 5 Salt Key................................................................................................................................................................................... 5 Encrypted Value....................................................................................................................................................................... 6
2.3 ENCRYPTION ALGORITHM ..........................................................................................................................................................6 2.4 DECRYPTION ALGORITHM ..........................................................................................................................................................6 2.5 EXAMPLE ...................................................................................................................................................................................7 2.5.1 Encryption .........................................................................................................................................................................7 2.5.2 Decryption .........................................................................................................................................................................8 3.
Rev. 0.1
Author Eric Gavaldo
Date 20/04/98
CONFIGURATION ........................................................................................................................................................................9 3.1 RADIUS SERVER SIDE ..............................................................................................................................................................9 3.1.1 Example .............................................................................................................................................................................9 3.2 CASE STUDY.............................................................................................................................................................................10 3.2.1 SALT Encryption Simple Negotiation..............................................................................................................................10 3.2.2 SALT Encryption Proxied Negotiation ............................................................................................................................10
Comment First Draft
Pa ge 1 o f 1 0
Pa ge 2 o f 1 0
Engi n ee r i ng - Er i c Gav al d o
6 /8 /20 02
Engi n ee r i ng - Er i c Gav al d o
6 /8 /20 02
2. Description of the Algorithm 1. Introduction SALT is a mechanism describing a method to encrypt/decrypt some data within RADIUS Frames. This is particularly useful for secure datas as “password-like”. Note that the Username is already encrypted using another encryption method as SALT. What I call “Password-like” is any attributes as “DODPassword” & so on.
2.1 Necessary components To encrypt/decrypt three elements are required: 2 Already existing components: • The Shared Secret (S) (the key known by the RADIUS server & the NAS). • The Request/Response Authenticator (RA) (sent in the RADIUS packet)
1.1 Introduction to RADIUS Radius is an Authentication & Authorization, Accounting and Configuration protocol based on the Client/Server model. Radius is based on top of UDP and use:
1 new component: • The Salt key (SALT): 16-byte plain-text value. (non-encrypted) (sent in front of the encrypted attribute value in the RADIUS packet).
Port 1645 or 1812 for Authentication & Authorization Port 1646 or 1813 for Accounting
2.2 Format of the RADIUS Attributes 1.1.1 Radius Frame Format Code
Id.
Length
8bits
8bits
16bits
2.2.1 Standard Attributes The non-encrypted Standard Attributes will be from the following shape: Authenticator Group
Attribute - 1 Type 8bits
128bits
Length 8bits
Attribute - 2 Value Variable
Type 8bits
Length 8bits
Value variable
Attributes or parameters Attribute - 1 Type 8bits
Length 8bits
Attribute - 2 Value Var.
T 8bits
L 8bits
… V Var.
T 8bits
L 8bits
If the Standard Attribute - 2 must be encrypted, here is how the complete Attribute list will be presented: V Var. Attribute - 1 Type 8bits
1.1.2 Different type of Radius Packet
Length 8bits
Attribute - 2 Value Variable
Type 8bits
Length 8bits
Salt Key 16bits
Encrypted Value Variable
According to the value of the “Code” Field, the Radius Packet will be of one specific type: 1 2 3 4 5 11 12 13
Access-Request Access-Accept Access-Reject Accounting-Request Accounting-Response Access-Challenge Status-Server Status-Client
Authenticating Authenticating + Authaurization Authenticating Accounting Accounting Authenticating
1645/1812 1645/1812 1645/1812 1646/1813 1646/1813 1645/1812
1.2 Introduction to SALT The salt-encryption allows to encrypt certain attributes passed between a NAS and a RADIUS server. • This encryption MAY be used by the RADIUS server or the NAS. • Each attribute ,within a packet, may be encrypted or not.
Pa ge 3 o f 1 0
Pa ge 4 o f 1 0
Engi n ee r i ng - Er i c Gav al d o
6 /8 /20 02
Engi n ee r i ng - Er i c Gav al d o
6 /8 /20 02
2.2.2 Vendor-Specific Attributes
2.2.3.4 Encrypted Value
The non-encrypted Vendor-Specific Attributes will be from the following shape:
The Encrypted Value field is one or more octets containing data that is length-prefixed and optionally padded.
Attribute - 1 Type 8bits
Length 8bits
VedorId. 32bits
Type 8bits
Length 8bits
Attribute - 2 Value Variable
Type 8bits
Length 8bits
•
Value variable
The data that follows the first octet contains the specific contents of the attribute.
•
Following the data, there may be additional octets of padding that carry no information but serve to obfuscate the actual length of the data.
If the Vendor-specific Attribute2 must be encrypted, here is how the complete Attribute list will be presented:
Attribute - 1 Type 8bits
Length 8bits
VedorId. 32bits
Type 8bits
Length 8bits
ENCRYPTED VALUE = C ( LENGTH + VALUE + PADDING)
Attribute - 2 Value Variable
Type 8bits
Length 8bits
The first octet indicates the number of significant data octets to follow, excluding any padding.
•
Salt Key 16bits
Enc.Value Variable
2.3 Encryption Algorithm The salt-encryption method closely corresponds the “password-hiding” method. The differences are:
2.2.3 Fields Details
• •
2.2.3.1 Type
The Salt is concatenated to the Shared secret (S) and Request Authenticator (RA) before computing the initial MD5 digest. An attribute may be padded to an arbitrary length or not.
The Type field is a single octet, this value remains unchanged from the non-encrypted attribute.
However, in order to obfuscate the actual length of the data, a padding strategy, such as null-padding to a multiple of 16 octets, SHOULD be employed.
2.2.3.2 Length
•
The salt-encryption method proceeds as follows: Construct a clear text version of the information to be encrypted; call this the Clear Text.
The Length filed is one octet, and indicates the length of the encrypted attribute including the Type, Length, Salt Key and Encrypted Value fields.
•
Break the Clear Text into chunks p1, p2, …, pi of up to 16-octets each. The last chunk may contain fewer than 16 octets.
•
Call the shared secret S, the pseudo-random 128-bit Request Authenticator RA, and the Salt Key SALT & build b1.
The length field value of an encrypted attribute may be slightly different from the length of the non-encrypted attribute.
•
Call the ciphertext blocks c(1), c(2), etc (for this, we’ll need successively intermediate values b1, b2, etc.)
Type 8bits
Length 8bits
Salt Key 16bits
b1 = MD5(S + RA + SALT) b2 = MD5(S + c(1)) . . . bi = MD5(S + c(i-1))
Encrypted Value Variable
LENGTH = Len ( TYPE + LENGTH + SALT KEY + ENCRYPTED VALUE)
c(1) = p1 c(2) = p2 . . c(i) = pi
xor b1 xor b2 . xor bi
Note that if the last chunk is fewer than 16 octets only the first part of the final MD5 digest bi is used in the XOR operation. The resulting Encrypted Value will contain c(1)+c(2)+...+c(i) where + denotes concatenation.
2.2.3.3 Salt Key The Salt field is two octets, and is used to encrypt/decrypt the attribute value. The Salt field isn’t encoded, it’s a plain-text field corresponding to a pseudo 16-bits random value.
2.4 Decryption Algorithm
This value is used with the Request Authenticator Value and the shared secret to encrypt/decrypt the data.
On receipt, the process is reversed to yield the Clear Text :
• each Salt Key value within a single packet is unique. • each Salt Key in an Access-Request packet sent by the NAS MUST have high-bit clear. • each Salt Key in an Access-Accept, Access-Reject, or Access-Challenge packet returned by the RADIUS server MUST have high-bit set.
Pa ge 5 o f 1 0
b1 = MD5(S + RA + SALT) b2 = MD5(S + c(1)) . . . bi = MD5(S + c(i-1))
p(1) = c1 xor b1 p(2) = c2 xor b2 . . . p(i) = ci xor bi
Pa ge 6 o f 1 0
Engi n ee r i ng - Er i c Gav al d o
6 /8 /20 02
Engi n ee r i ng - Er i c Gav al d o
6 /8 /20 02
2.5.2 Decryption
2.5 Example
Encrypted Attribute = 0x(F6 30 2A 64 EF 8C 1D 31 E0 60 EC 61 43 22 2D DA B6 27 81 78) Here is a simple example of the complete mechanism. Note that it shows the real calculated values to demonstrate the validity of the Algorithm. Shared Secret between NAS & Radius Server: Request Authenticator: SALT Key:
S = “radius” = 0x(72 61 64 69 75 73) RA = 0x(A8 C1 66 A7 54 FD F2 43 C0 F9 3E 9F EC B5 4A BB) SALT = 0x(1D 65)
2.5.1 Encryption Initial Clear tex t Attribute:=“myusername@mydomain” = 0x(6D 79 75 73 65 72 6E 61 6D 65 40 6D 79 64 6F 6D 61 69 6E)
c1=0x(F6 30 2A 64 EF 8C 1D 31 E0 60 EC 61 43 22 2D DA) c2=0x(B6 27 81 78)
b1 = MD5(S+RA+SALT) = MD5(72 61 64 69 75 73 A8 C1 66 A7 54 FD F2 43 C0 F9 3E 9F EC B5 4A BB 1D 65) = 0x(E5 5D 53 11 9C E9 6F 5F 81 0D 89 21 2E 5B 49 B5) p1 = c1 XOR b1 = 0x(F6 30 2A 64 EF 8C 1D 31 E0 60 EC 61 43 22 2D DA) XOR 0x(E5 5D 53 11 9C E9 6F 5F 81 0D 89 21 2E 5B 49 B5) = 0x(13 6D 79 75 73 65 72 6E 61 6D 65 40 6D 79 64 6F)
length = 19 = 0x(13) b2 = MD5(S + c1) = MD5(72 61 64 69 75 73 F6 30 2A 64 EF 8C 1D 31 E0 60 EC 61 43 22 2D DA) = 0x(DB 46 E8 16 49 D6 86 3B 16 BD 99 AB 13 9C 86 5B)
p1 = length+” myusername@mydo” = 0x(13 6D 79 75 73 65 72 6E 61 6D 65 40 6D 79 64 6F) p2 = ”main” = 0x(6D 61 69 6E)
p2 = c2 XOR b2 = 0x(B6 27 81 78) XOR 0x(DB 46 E8 16 49 D6 86 3B 16 BD 99 AB 13 9C 86 5B) = 0x(6D 61 69 6E) b1 = MD5(S+RA+SALT) = MD5(72 61 64 69 75 73 A8 C1 66 A7 54 FD F2 43 C0 F9 3E 9F EC B5 4A BB 1D 65) = 0x(E5 5D 53 11 9C E9 6F 5F 81 0D 89 21 2E 5B 49 B5)
p1+p2 = 0x(13 6D 79 75 73 65 72 6E 61 6D 65 40 6D 79 64 6F 6D 61 69 6E)
c1 = p1 XOR b1 = (13 6D 79 75 73 65 72 6E 61 6D 65 40 6D 79 64 6F) XOR (E5 5D 53 11 9C E9 6F 5F 81 0D 89 21 2E 5B 49 B5) = 0x(F6 30 2A 64 EF 8C 1D 31 E0 60 EC 61 43 22 2D DA)
Decrypted Attribute = 0x(6D 79 75 73 65 72 6E 61 6D 65 40 6D 79 64 6F 6D 61 69 6E)
b2 = MD5(S + c1) = MD5(72 61 64 69 75 73 F6 30 2A 64 EF 8C 1D 31 E0 60 EC 61 43 22 2D DA) = 0x(DB 46 E8 16 49 D6 86 3B 16 BD 99 AB 13 9C 86 5B) c2 = p2 XOR b2 = 0x(6D 61 69 6E) XOR 0x(DB 46 E8 16 49 D6 86 3B 16 BD 99 AB 13 9C 86 5B) = 0x(B6 27 81 78)
Encrypted Attribute = c1 + c2 = 0x(F6 30 2A 64 EF 8C 1D 31 E0 60 EC 61 43 22 2D DA B6 27 81 78)
Pa ge 7 o f 1 0
Pa ge 8 o f 1 0
Engi n ee r i ng - Er i c Gav al d o
6 /8 /20 02
Engi n ee r i ng - Er i c Gav al d o
6 /8 /20 02
3. Configuration
3.2 Case Study
When receiving an attribute within a packet, There is no way to know this attribute have been encrypted or not. So the only way to decrypt the right attributes seams to set a static encryption configuration both on the NAS and the RADIUS server.
3.2.1 SALT Encryption Simple Negotiation Encrypt List = 3, 4, 7, 9, 10
3.1 RADIUS Server Side
Decrypt List = 2, 4, 8
Radius Server
Encrypt List = 2, 4, 6 Decrypt List = 3, 4, 12, 13, 14
The equivalent of the SALT Specific entry in the NAS Configuration should be added on the RADIUS Side. So, a new entry file (for our RADIUS implementation, it is “salt-clients” by default) MUST contain:
LanRover
• •
S h iv a L a n R o v er A cc es s S wi tc h ESC
A list of NAS or RADIUS Servers (Proxying case)
Ac c es s S wi t ch t est De m o ns t rat i on + 3,3 V
ISDN
For each of them: ⇒ the equivalent of the SaltEncryptAttrList ⇒ the equivalent of the SaltDecryptAttrList
+5V
- 5V
+12V
- 12V
s el e ct
LRAS (1) Access-Request
AccessPort ISDN ON
LAN LAN
RX
TX TX
READY
B1 B1
B2
RING TEST RING
- UserName=“MyName” - UserPassword=“MyPassword” - Att.1=“Attribut1” - Att.2=“g!z%y&q#xw$bfµra” - Att.3=“Attribut3” - Att.4=“tx!z%yy&rzeq#xw$”
Setup
3.1.1 Example
(2) Access-Accept/Reject
#Client Name #---------------default 10.0.0.144 10.0.0.139
SaltEncryptAttrList -------------------4,shiva:6 1,2,4,32,24 13
- Att.1=“Attribut1” - Att.2=“Attribut2” - Att.3=“hx!&q#xfµa!fb/%k” - Att.4=“!%ygs&q#xw$bfµ” - Att.5=“Attribut5”
SaltDecryptAttrList ------------------8 1,4,2,20,32 14
3.2.2 SALT Encryption Proxied Negotiation Encrypt List = 3, 4, 7, 9
Encrypt List = 1, 2, 7, 9
Decrypt List = 2, 4, 5, 8
Decrypt List = 3, 4, 5, 11 Encrypt List = 3, 4, 5, 6
Encrypt List = 2, 4, 6, 9 Decrypt List = 3, 4, 12, 13, 14
LanRover
Radius Server
Proxier
Decrypt List = 1, 2, 12, 13, 14
Radius Server
Proxied
S h iv a L a n R o ver A c ces s Sw it ch
ESC
A cc es s S w i t ch t est D em o ns t rat i o n + 3,3 V
AccessPort ISDN ON
LLAN AN
RX
TX
READY B1 B1
B2
RING RING T EST
Setup
Pa ge 9 o f 1 0
+ 5V
- 5V
+ 12V
- 12V
se l ec t
LRAS
ISDN
(1) Access-Request
(2) Access-Request
- UserName=“MyName” - UserPassword=“MyPassword” - Att.1=“Attribut1” - Att.2=“g!z%y&q#xw$bfµra” - Att.3=“Attribut3” - Att.4=“tx!z%yy&rzeq#xw$”
- UserName=“MyName” - UserPassword=“MyPassword” - Att.1=“hèz%ggt-(lkmq&m:” - Att.2=“k-rf%y&q#kii$bfµ^*” - Att.3=“Attribut3” - Att.4=“Attribut4”
(4) Access-Accept/Reject
(3) Access-Accept/Reject
- Att.1=“Attribut1” - Att.2=“Attribut2” - Att.3=“hx!&q#xfµa!fb/%k” - Att.4=“!%ygs&q#xw$bfµ” - Att.5=“Attribut5”
- Att.1=“Attribut1” - Att.2=“Attribut2” - Att.3=“h_&x!&jhhyµa!pm” - Att.4=“lmèé(&qm$bfµ%*§” - Att.5=“jo%yh&qlku$bf#µ+”
Pag e 10 o f 1 0
