远程拨号接入系统的安全分析与改进实现

’an,Shaanxi710072,China赵玉亭，戴冠中，杨德明，陈旿，慕德俊西北工业大学自动化学院信息安全中心，西安，710072zhaoyuting77@gmail.comAbstract:ThelargecomputationofRADIUS(RemoteAccessDial-InUserService)implementationresultsinahighmisappropriationriskofuseraccountsfromRADIUSadministratorsandthelowefficiencyofuserauthentication.TheanalysisandimprovementofRADIUSareproposedandimplementedtoreducethecomplexityofauthenticationprogram,enhancetheefficiencyofsystemandavoidthemisappropriationriskfromRADIUSadministrators.Keywords:dial;RADIUS;networksecurity;AAA;NAS;authentication;authorization;account1.IntroductionThesubscribersofanInternetServiceProvider(ISP)needtoprovideuser-nameandcorrespondingpasswordforauthentication,authorizationandaccount(AAA)toaccessinternetresources.TheequipmentiscalledAAAserver.OnekindofAAAserverisNetworkAccessServer(NAS).AwidelyusedAAAprotocolisRemoteAccessDial-InUserService(RADIUS).RADIUSisproposedbyLucentTechnologies,Inc.RADIUSisdescribedinRFC-2865[1]andRFC-2866[2]byInternetEngineeringTaskForce(IETF).RADIUSspecifiesthecommunicationproceduresbetweenremoteusersandaNASandbetweenaNASandRADIUSserverstoimplementauthentication,authorizationandaccounting.Therestofthepaperisorganizedasfollows:Section2introducesthemodelandprotocolofanAAAsystemwithaNASbasedonRADIUS.Section3describestheAAAsystembasedonRADIUSwedevelopedforanISP.ThesecurityandefficiencyproblemsinRADIUSimplementareanalyzedinSection4.ThesolutionisproposedandimplementedinSection5.WiththecomparisonsoftheeffectsofdifferentimplementationofRADIUS,thelastsectionshowsthatourimprovementonRADIUSreducesthecomplexityofauthenticationprogram,enhancestheefficiencyinuserauthenticationandavoidstherisksofmisappropriationbytheadministrators.2.RADIUSProtocol2.1WhatIsRADIUSRADIUSisanAAAprotocolthatspecifiesthecommunicationprocedurebetween-1-remoteusersandaNASaswellasaNASandRADIUSServers.AnAAAsystemmodelwithaNASbasedonRADIUSisshowninFig.1below.RADIUSisbasedonClient/ServermodelandChallenge-ResponseInteraction.Asaserver,aNASreceivesinformationsentbyremoteusers(asClients)andrequiresthemtoresponseitschallenges.Atthesametime,NASshouldactasaclienttoresponsethechallengessentbyRADIUSservers.Fig.1AAASystemModelbasedonRADIUSTheremoteuserssendtheiruser-names,passwordsandotherinformationbyModems,ISDNadapters,routersandothernetworkingequipmentstoaNASthroughalongdistanceandlargerangetransportinPublicSwitchTelephoneNetwork(PSTN).TheNASisbetweenPSTNandInternetandconnectedtoanISP’sLAN.TheNASsendstheencryptedinformation,suchasuser-passwords,totheRADIUSauthenticationserver.TheRADIUSauthenticationserversendstheauthenticationresultandcorrespondingauthorizationinformationbacktotheNAS.ThentheNAScanauthorizetheremoteuserandsendaccountinginformationtoRADIUSAccountServer.Thiscanprovidethesourcedataforaccountinglater.RADIUSprotocolisencapsulatedinUserDatagramProtocol(UDP).TheUDPportnumberforRADIUSauthenticationserviceis1812[1],forRADIUSaccountingserviceis1813[2].2.2CommunicationProcedureofRADIUSRADIUSfirstlyneedstoregistersomeinformationincludingvalidNASanduser-passwordforthesecureandcorrectauthenticationbeforetheoperation.ThecommunicationproceduresbetweensubscribersandaNASaswellasaNASandRADIUSauthenticationoraccountingserversareasfollows:(1)AsubscribersendshisusernameandpasswordtoaNAS.ThentheNASsendsanAccessRequestpacket,inwhichtheuser-passwordareencryptedwithMD5[3],totheRADIUSauthenticationserver.(2)OncetheRADIUSauthenticationserverreceivestheAccessRequestpacket,itwillsearchthecorrespondingpasswordstoredin“users”file,inplain-text,inaccordancewiththeusernameintheincomingpacket.Aftertheencryptionof-2-(3)TheNASdeterminestheauthorizationofthesubscriber,basedontheresponseofRADIUSauthenticationserver.(4)Whenasubscriberissurfing,theNASneedstosendAccountingRequestpacketstoRADIUSaccountingserverperiodically.TheRADIUSaccountingservershouldrecordallaccountinginformationfromtheNAS,suchaslastingtime,uploadbytescount,uploadpacketscount,downloadbytescountanddownloadpacketscount.AfterrecordingeachAccountingRequestpacket,theRADIUSaccountingserverwillsendAccountingResponsepacketsbacktotheNAS.3.OurRADIUSAAASystemWedevelopedanRADIUS-basedAAAsystemforanISP.TheNASisHuaweiQuidway®A8010.ThebasicstructureisshowninFig.2below.Fig.2AAASystembasedonRADIUSwithaNASBesidestheRADIUSauthenticationandaccountingservers,weinstallaMicrosoft®SQLServer2000databaseserver,whichisbasedonOpenDatabaseConnection(ODBC),tostoreuserregistrationandaccountinginformation.AlltheaccountinginformationstoredinRADIUSaccountingserverarecollectedandrecordedintoSQLserverdatabasebyaprogramwritteninPerl.WealsopresentaManagementInformationSystem(MIS)forsys