Document ID: 44281
Last Updated 2004 July 19 0000 UTC (GMT)
For Public Release 2003 August 03 1600 UTC (GMT)
Status of This Notice: Final
Cisco Security Procedures
Cisco LEAP is a mutual authentication algorithm that supports dynamic derivation of session keys. With Cisco LEAP, mutual authentication relies on a shared secret, the user's logon password—which is known by the client and the network, and is used to respond to challenges between the user and the Remote Authentication Dial-In User Service (RADIUS) server.
As with most password-based authentication algorithms, Cisco LEAP is vulnerable to dictionary attacks.
Cisco has now announced the availability of EAP Flexible Authentication via Secure Tunneling (EAP-FAST) for users who wish to deploy an 802.1X Extensible Authentication Protocol (EAP) type that does not require digital certificates and is not vulnerable to dictionary attacks.
This notice will be posted at http://www.cisco.com/warp/public/707/cisco-sn-20030802-leap.shtml.
The original report is located at http://www.securityfocus.com/archive/1/340365/2003-10-03/2003-10-09/2 . Cisco responded with the following, which is also archived at http://www.securityfocus.com/archive/1/340565/2003-10-03/2003-10-09/2 .
At DEFCON, on August 3, 2003, a presentation by Joshua Wright explored mechanisms that could make it easier for someone to write a tool to launch an offline dictionary attack on password-based authentications that leverage Microsoft MS-CHAP, such as Cisco LEAP. The source code of the dictionary attack tool called "asleap" was released on April 6, 2004.
During a dictionary attack, variations of passwords are used to compromise a user's authentication credentials. Most password-based authentication algorithms are vulnerable to dictionary attacks in the absence of a strong password policy.
Cisco developed EAP-FAST for users who wish to deploy an 802.1X EAP type that does not require digital certificates and is not vulnerable to dictionary attacks.
Creating a strong password policy is the most effective way to mitigate against dictionary attacks. This includes using strong passwords and periodically expiring passwords. Cisco recommends that customers review their security policies and incorporate the best practices outlined in the 802.11 Wireless LAN Security White Paper - http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wswpf_wp.htm (refer to section 5.2 "Cisco LEAP Deployment").
Users could migrate to another EAP type like EAP-FAST, PEAP or EAP-TLS whose authentication methods are not susceptible to dictionary attacks.
- EAP-FAST is an authentication protocol that creates a secure tunnel without using certificates.
- PEAP is a hybrid authentication protocol that creates a secured TLS tunnel between the WLAN user and the RADIUS server to authenticate the user to the network. This requires certificate and public key infrastructure (PKI) management on both RADIUS servers and WLAN clients.
- EAP-TLS uses pre-issued digital certificates to authenticate a user to the network. This requires certificate and PKI management on both RADIUS servers and WLAN clients.
This issue was originally reported on the Bugtraq mailing list at http://www.securityfocus.com/archive/1/340365/2003-10-03/2003-10-09/2 , and Cisco responded at http://www.securityfocus.com/archive/1/340565/2003-10-03/2003-10-09/2 , in addition to this notice
This is a final notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this notice unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this notice.
A stand-alone copy or paraphrase of the text of this security notice that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
Added "Public Announcements" section to reference original Bugtraq postings.
Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.
- EAP Flexible Authentication via Secure Tunneling (EAP-FAST) - http://tools.ietf.org/html/draft-cam-winget-eap-fast-00
- EAP-FAST FAQ - http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00802030dc.shtml.
- Read more about Cisco Response to Dictionary Attacks on Cisco LEAP - http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00801cc901.html.
- Information on other authentication types such as Protected Extensible Authentication Protocol (PEAP), Extensible Authentication Protocol Transport Layer Security (EAP/TLS), and their deployment information - http://www.cisco.com/warp/public/707/cisco-sn-20030802-leap.shtml.
|Updated: Jul 19, 2004||Document ID: 44281|