[RADIATOR] Password/certificate security seems next to none on Radiator server

Nadav Hod nadav.hod at comm-it.co.il
Thu Oct 1 12:52:14 CDT 2015 

Thanks for the feedback Sami,

1) Securing information via TPM is suitable for integrity and encryption should the HD or VM be removed from the organization, but not suitable for confidentiality within the organization. Whoever has admin access to the server will have access to all keys, credentials and passwords necessary for Radiator (if those entities exist on the server, of course). My understanding of the merits of TPM is that it solves different attack vectors than what I'm referring to. 

And keep in mind that not just private keys need to be kept secure. To authenticate phones with EAP-TLS I needed the Cisco call manager's CA to be stored locally on Radiator. The certificate was self-signed and not exportable without a cisco admin account. If anyone else were to have access to that certificate they could impersonate my server. Same goes for any other supplicant with a CA which isn't made public.

2) Hashing passwords explicitly is possible, but difficult to manage especially if users have to change their passwords periodically.  Regarding this particular case I think AuthBy  LDAP2 is good enough.

3) Radsec in general is a great solution if deployed (kudos to OSC for its invention), but I'm fairly sure most radius deployments for network devices are stuck with PAP. Besides, not all NASes support Radsec and I'm sure many would prefer PAP because it's easier to manage if you're using different credentials per device.
These passwords are the ones I think should be protected since they are usually long-term and sensitive. Migrating every NAS to Active Directory defeats the separation of system administration from network administration, each time a new NAS has to be configured you would have a system admin create it for you under the correct OU and he would be the one to manage it in the future. If you want to have a AAA server for network admins only, you'd have to keep the passwords in cleartext.

Assuming you kept all NAS credentials on the server (unencrypted), you would in fact be providing any user with local admin on the server permission to access credentials which shouldn't concern them. I'd imagine in this day and age that big companies would want something like that mitigated. 

I'm interested in hearing if other users feel that these security measures are a worthy enhancement for future versions. At the very least it would help to be less dependent on existing system architecture for securing credentials.

________________________________________
From: radiator-bounces at open.com.au [radiator-bounces at open.com.au] on behalf of Sami Keski-Kasari [samikk at open.com.au]
Sent: Thursday, October 01, 2015 7:21 PM
To: radiator at open.com.au
Subject: Re: [RADIATOR] Password/certificate security seems next to none on Radiator server

Hello Nadav,

I don't want to control the discussion too much, but since this is
public list I think that I need to clarify couple of things.

1. Certificates are public information. They are sent in clear text over
network for example during EAP-TLS/TTLS/PEAP conversation. So you don't
need to protect them.

What you need to protect is the sever private key.

If you have defined password for private key it means that it is
encrypted. In order to use it, you need to provide the password in order
to decrypt the private key.
If you want that process can start automatically you need to have access
to the private key encryption password.
I agree with Nick that external chip is the only way to provide strong
protection for the private key.

2. Radiator support hashed and encrypted user passwords.
For example if you are authenticating users from file, you can have
there for example:
User-Password={SSHA512}<hash> or User-Password={PBKDF2}
please see more in section 13.1.2 in reference manual.

Hashed passwords does not work with all authentication methods. For
example MSCHAPv2 that is used with PEAP requires to have access to clear
text or nt-hash format of password.

3. NAS shared secrets

It is possible to include NAS clients to SQL or LDAP database and use
their encryption mechanisms to protect shared secrets. Again you need to
define encryption key somewhere if you want Radiator to run autonomously.

NAS shared secrets are not user passwords. If you are using plain PAP
authentication it is used to protect User-Password but the protection is
not very strong. When you are using EAP-TLS/TTLS/PEAP then the TLS
tunnel is protecting user credentials and it offers much better protection.

Radiator supports also RADSEC that moves RADIUS traffic over TLS tunnel
and then you will get good protection for messages and you don't need to
define shared secrets since certificates are used.

Best Regards,
 Sami

On 10/01/2015 04:36 PM, Nadav Hod wrote:
> Hi Nick,
>
> Specific hardware for securing files on your server shouldn't be necessary for the use cases I'm suggesting. I've just integrated Radiator for the first time and I was shocked that for each NAS I had to keep the password in plaintext.
> Radiator is installed on servers worldwide whether physical or VM, I believe that each of them (regardless of hardware) should be provided with at least the same security as NPS which knows how to accept user passwords in plaintext and then obfuscate them (whether encrypted, hashed or otherwise).
>
> A solution can be integrated via software, and my suggestions use perl and openssl to secure sensitive information. Therefore only integration is necessary without new environments.
> ________________________________________
> From: Nick Lowe [nick.lowe at lugatech.com]
> Sent: Thursday, October 01, 2015 4:23 PM
> To: Nadav Hod
> Cc: radiator at open.com.au
> Subject: Re: [RADIATOR] Password/certificate security seems next to none on Radiator server
>
> If you wanted robust protection here, you would likely want to go down
> the route of a TPM or equivalent.
>
> Nick
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>


--
Sami Keski-Kasari <samikk at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator

More information about the radiator mailing list