Home_greyopenFATE - openSUSE feature tracking > #309931
Dashboard | Search | Sign up | Login

Please login or register to be able to edit or vote this feature.

Server name/certificate subject validation in EAPOL authentications (NetworkMana

Feature state

openSUSE-11.3
Unconfirmed
openSUSE-11.4
New

Description

We, at the hungarian eduroam community, 
realized, that the lack of this capability in NetworkManager is a VERY SERIOUS
threat. In the Eduroam infrastructure it's quite possible that you home radius
server's certificate is signed by the same CA as one or some of the numerous
radius servers proxying your request, so any of these servers can easily (even
accidentally!) open your SSL encrypted TTLS or PEAP tunnel, for example.
The problem gets even worse if you don't specify exactly the CA, which signed
you certificate, but you trust every CA cert in /etc/ssl/certs (a very common
scenario).
However, since your home radius server's certificate is transmitted as
cleartext in the beginning of the PEAP/TTLS communication, it can be easily
sniffed wireshark, and a relatively desperate attacker can purchase his own
certificate from you CA.
If this attacker deploys his own AP/router/radius server, he can easily read
your passwords (in case of TTLS/PAP authentication), or your NTLM password
hashes (in case of TTLS/MSCHAPv2 or PEAP/MSCHAPv2). And the sad thing is that
this MSCHAPv2 can cracked VERY EASILY by john ( http://www.openwall.com/john/
). According my experiences it can be cracked five times faster than old Unix
crypt password hashes :((( I managed to crack three out of four real-life
passords in an hour without advanced dicionaries of specific options. One
password (consisting of eight digits) was cracked by simple brute force within
an hour! (
http://forums.remote-exploit.org/tutorials-guides/13728-tutorial-cracking-leap-networks-asleap-john.html
)
Upstream here: https://bugzilla.gnome.org/show_bug.cgi?id=341323

Discussion


icons/user_comment.png V. B. wrote: (4 years ago)

Yes, this is a serious problem. There is no option in wpa_supplicant to authenticate the radius server AFAIK. Network manager is just a frontend to the wpa_supplicant. It would be good to cooperate with the upstream on
http://hostap.epitest.fi/wpa_supplicant/ .

Last change: 3 years ago
Voting
Score: 3
  • Negative: 0
  • Neutral: 0
  • Positive: 3
Tags

No tags yet.

Feature Export
Application-xmlXML   Text-x-logPlaintext   PrinterPrint