Enhancing Eduroam Security with New Standards and Practices

Slide Note
Embed
Share

Explore the foundations of eduroam and the challenges with RADIUS, along with recommendations for improving security. Learn why moving away from RADIUS/UDP and adopting shared secrets of 16 characters is essential. Discover the issues with transitioning from UDP to RADIUS/TLS, and the new standards introduced to enhance security and compatibility. Stay informed about TLS, DTLS, and RADIUS 1.1 updates for a secure network environment.

pippa
pippa Follow

Uploaded on Jul 20, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Making eduroam safer New standards and practices Alan DeKok, FreeRADIUS Underground B Thursday June 6, 2023

  2. What are the foundations of eduroam? eduroam is built on RADIUS RADIUS is just about the worst thing ever invented The big questions are: What is wrong with RADIUS? How can we make it better? How will it help you, the administrators of eduroam? 2

  3. What is wrong with RADIUS RADIUS is a dumpster fire of bad implementations and terrible security MD5 has been broken for a decade https://datatracker.ietf.org/doc/draft-dekok-radext-deprecating-radius/ a hobbyist attacker can crack all possible RADIUS shared secrets of eight characters in about a day Users location can be tracked within 15m or less GPDR issues are large. 3

  4. What you can do Use shared secrets of 16 characters, derived from a cryptographic source Do not use RADIUS/UDP or RADIUS/TCP Do not use RADIUS/UDP or RADIUS/TCP Do not use RADIUS/UDP or RADIUS/TCP Do not use RADIUS/UDP or RADIUS/TCP [1] #!/usr/bin/env perl use MIME::Base32; use Crypt::URandom(); print join('-', unpack("(A4)*", lc encode_base32(Crypt::URandom::urandom(12)))), "\n"; 2nw2-4cfi-nicw-3g2i-5vxq [1] Only use it in a secure network. Never over the Internet. 4

  5. Issues with moving away from UDP We can all use just RADIUS/TLS, or IPSec, right? But IPSec is harder than TLS FreeRADIUS has had a long-standing issue with TLS and does not implement RADIUS/DTLS Microsoft NPS does not implement RADIUS/TLS Radsecproxy does not run on Windows 5

  6. New standards Moving RADIUS/TLS and RADIUS/DTLS to standards track FIPS compatible RADIUS: RADIUS 1.1 How to keep your security people happy! CoA even when using NAT TLS-PSK Multi-hop ping / traceroute packet Get information about proxies! 6

  7. TLS, DTLS, and RADIUS 1.1 Not much more to be said about TLS and DTLS updates. RADIUS 1.1 is 100% compatible with existing RADIUS/TLS No more MD5, can be used in a FIPS environment Essentially nothing else changes. It s just RADIUS with a small splash of paint on it. It s not a new protocol. Proxies should probably upgrade to RADIUS 1.1 as quickly as possible 7

  8. CoA / Disconnect with NAT less relevant for eduroam, but could potentially help with security The idea is to leverage RADIUS/TLS connections Client connects to server, sends Access-Request Server re-uses that TLS connection to send CoA-Request to client! How would this be used in eduroam? 8

  9. Certificate management Certificates are hard. Why? CAs are managed by the CAB Forum. B is for Browser i.e. web server certs are used for EAP, RADIUS/TLS, etc. Generally using a private CA is preferable to using a public (web) CA EAP - users already know about you, and need to be configured anyways RADIUS/TLS - only trusted administrators can connect Certificate renewal is an ongoing process which never stops! 9

  10. RADIUS traceRoute Still in development, but wide-spread agreement that it is useful Where are the packets going? What happens when they get there? radius traceroute @unitir.edu.al Tracks packets hop by hop through multiple layers of proxies returns information about each proxy it passes through Who runs the proxy Transport protocols used Connection status Lets you see where authentications are failing, but not always why 10

  11. The future New standards should make it easier to manage and debug eduroam networks. the radius traceroute alone should be a significant improvement 11

  12. Thank you Any questions? aland@freeradius.org

Related


Understanding the Role of Security Champions in Organizations

Understanding the Role of Security Champions in Organizations

irvin
Overview of Human Factors and Automotive Standards YouTube Series

Overview of Human Factors and Automotive Standards YouTube Series

otto
Functional Safety and Cyber Security International Standards Update

Functional Safety and Cyber Security International Standards Update

warner
ANSI C12.1 Overview and Current Events

ANSI C12.1 Overview and Current Events

hiro
Tanzania Bureau of Standards: Managing E-Waste with Standards

Tanzania Bureau of Standards: Managing E-Waste with Standards

kelsey
Understanding the Roles of a Security Partner

Understanding the Roles of a Security Partner

zaara
Milk and Milk Products: Regulations and Standards in India

Milk and Milk Products: Regulations and Standards in India

amoura
Evolving Security Practices in DevOps: A Holistic Approach

Evolving Security Practices in DevOps: A Holistic Approach

madisyn
Enhancing Security Definitions for Functional Encryption

Enhancing Security Definitions for Functional Encryption

kalila
Understanding Computer Security Principles and Practices

Understanding Computer Security Principles and Practices

jos_o
BCA 601(N): Computer Network Security

BCA 601(N): Computer Network Security

danna
AEP Enterprise Security Program Overview - June 2021 Update

AEP Enterprise Security Program Overview - June 2021 Update

aubriella
Deploying Secure Applications on Azure PaaS

Deploying Secure Applications on Azure PaaS

keahi
Software Security Principles and Practices: Enhancing Program Code Security

Software Security Principles and Practices: Enhancing Program Code Security

abcde
Overview of Internal Audit Standards and Accounting Standards

Overview of Internal Audit Standards and Accounting Standards

hadassah
Current Standards Process for Reliability, Resilience, and Security

Current Standards Process for Reliability, Resilience, and Security

jalen
IEEE Vehicular Technology Society Standards Update

IEEE Vehicular Technology Society Standards Update

gracelyn
Optimized Standards for Medical Device Safety and Performance in the EU

Optimized Standards for Medical Device Safety and Performance in the EU

esau
International Approaches to Enhance Nuclear Safety and Security

International Approaches to Enhance Nuclear Safety and Security

mazarine
Best Practices for Cleaning Standards Forum

Best Practices for Cleaning Standards Forum

innes
Understanding IoT Security Standards and Protocols

Understanding IoT Security Standards and Protocols

pandora
Understanding Cyber Security and Risks

Understanding Cyber Security and Risks

kathryn
Overview of Social Security and Health Care System in Turkey

Overview of Social Security and Health Care System in Turkey

violeta
Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication

Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication

joso_597

More Related Content

Understanding Provable Security Models in Cryptography
Understanding Provable Security Models in Cryptography
Certification and Training in Information Security
Certification and Training in Information Security
Understanding LXI Network Security in Industrial Environments
Understanding LXI Network Security in Industrial Environments
TSA Updates on Security Training Rule for OTRB Companies
TSA Updates on Security Training Rule for OTRB Companies
Understanding Transport Layer Security (TLS)
Understanding Transport Layer Security (TLS)
Understanding Data Governance and Security in Higher Education Institutions
Understanding Data Governance and Security in Higher Education Institutions
Understanding Security Onion: Network Security Monitoring Tools
Understanding Security Onion: Network Security Monitoring Tools
European Standards for Plant Biostimulants Development
European Standards for Plant Biostimulants Development
AFDO-Managed Retail Program Standards Grant Program Overview
AFDO-Managed Retail Program Standards Grant Program Overview
New Jersey 2023 Student Learning Standards for ELA Overview
New Jersey 2023 Student Learning Standards for ELA Overview
Enhancing Rail Security in the European Union
Enhancing Rail Security in the European Union
Understanding PeopleSoft Security: A Comprehensive Guide
Understanding PeopleSoft Security: A Comprehensive Guide
Enhancing Food Safety Standards and Crisis Preparedness
Enhancing Food Safety Standards and Crisis Preparedness
Understanding Wireless Security Audits and Best Practices
Understanding Wireless Security Audits and Best Practices
Data Storage, Backup, and Security Essentials
Data Storage, Backup, and Security Essentials
Early Learning & Kindergarten Standards Alignment: A Path to Success
Early Learning & Kindergarten Standards Alignment: A Path to Success
Safety and Energy Efficiency Regulations Overview by Mauritius Standards Bureau
Safety and Energy Efficiency Regulations Overview by Mauritius Standards Bureau
National Occupational Standards (NOS) in Business Administration Overview
National Occupational Standards (NOS) in Business Administration Overview
Addressing Telecom Standards Challenges: A Case Study of TSDSI and Rural Cellular Coverage
Addressing Telecom Standards Challenges: A Case Study of TSDSI and Rural Cellular Coverage
Analysis of Standards for Safe Listening Devices
Analysis of Standards for Safe Listening Devices
Understanding Computer Communication Networks at Anjuman College
Understanding Computer Communication Networks at Anjuman College
Enhancing Electrical Safety Through IEC Standards
Enhancing Electrical Safety Through IEC Standards
International Maritime Organization (IMO) and IMSAS: Ensuring Compliance with Maritime Standards
International Maritime Organization (IMO) and IMSAS: Ensuring Compliance with Maritime Standards
Implementing Digital Product Passports: Best Practices and Standards Overview
Implementing Digital Product Passports: Best Practices and Standards Overview