| RADIUS Authentication and Shared Secret, is secure? | 您所在的位置:网站首页 › radius-server shared-key › RADIUS Authentication and Shared Secret, is secure? |
|
The way most 2FA services for RADIUS work is by acting as a server hosted locally or in the cloud that authenticates RADIUS requests from agents, and then sends the request to their own servers using their own protocols (disclosure: I work for such a company and have studied and built such services). That means the data flows like so: [You] => [VPN|router|service|etc] => [agent] => [2FA RADIUS server] => [2FA service]There are a number of places to attack: between you and the VPN-thing: one would hope this is protected through other means. This would likely require a man-in-the-middle attack. between the VPN-thing and the agent: they're usually the same thing, so it's either an in-memory attack, or an IPC attack. This means you'd need to be on the same box with elevated privileges. between the agent the 2FA RADIUS server: I suspect this is your biggest concern. It's the RADIUS protocol, which means it's dependent on what auth mechanism it's using for the user. Most use PAP, which uses a shared key to "encrypt" and "decrypt" just the password (quotes meaning it's a bit iffy). This would likely require a man-in-the-middle attack. Between the 2FA RADIUS server and the 2FA web services: one would also hope this is protected through other means. This would likely require a man-in-the-middle attack.So what does this mean? Yes, someone can read everything but the password in your RADIUS requests if they get between the agent and the server. This is somewhat trivial if the server is in the cloud. It's a little more difficult if the RADIUS server is on the same closed network as the agent. It's debatable whether an attacker can decrypt the password, as it's dependent on the strength of the shared secret, and how many packets they can steal. Additionally, you have the shared secret if you're communicating directly with the RADIUS server. If everyone has the same shared secret then anyone can decrypt anyone's password. |
| CopyRight 2018-2019 实验室设备网 版权所有 |