[RADIATOR] move Message-Authenticator to the top ?

Heikki Vatiainen hvn at open.com.au
Wed Sep 11 09:39:42 UTC 2024 

On 9.9.2024 9.10, Patrik Forsberg wrote:

> Upgrade sounds like a good plan then :>

It's good to upgrade and especially so if there'a possibility that the 
Radius request are transmitted over links where an attacker has the 
possibility to try to alter the messages.

After the upgrade Radiator will automatically, no config changes needed, 
reply to Access-Requests with Message-Authenticator included as the 
first attribute. Proxied Access-Requests will also automatically include 
Message-Authenticator as the first attribute.

There are also two new configuration to parameters, one to require 
Message-Authenticator in proxied replies and another to use with Radius 
clients that are not able to send a Message-Authenticator. There are 
more details in the Blast-RADIUS website and in our security notice on 
our web pages.

>> Hmm, can you let me know what's the device in question? You can reply to me
>> directly too. The position of Message-Authenticator should not matter, even
>> when considering Blast-RADIUS mitigation.
> 
> That was my thinking and I've already pushed a ticket to the vendor about it - I'll respond privately to you which - but as it is the bleeding edge release of a software it might be that the configuration knob to disable this behavior hasn't been implemented yet...

Adding the Message-Authenticator as the first attribute is a mitigation 
for clients that *do not* check the Message-Authenticator. This might be 
because of the client has been kept as simple as possible, hasn't been 
configured to require Message-Authenticator, etc. In this case the 
position is important: it prevents the hash collision method the attack 
uses.

Requiring Message-Authenticator and checking it too is better because 
it's a HMAC, not a simple hash, and HMAC is not known to be broken. For 
this reason Message-Authenticator can be at any position among the 
attributes.

In short, if the client requires Message-Authenticator, the attack 
prevention is not dependent on Message-Authenticator position.

Hopefully the vendor reviews the information that's now publicly 
available for implementers.

-- 
Heikki Vatiainen
Radiator Software, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software

More information about the radiator mailing list