802.1X Authentication With EAP-MD5 Is Insecure
In November 2022, the French data protection authority (CNIL) announced that it had issued a fine of over $600,000 against a French energy company (EDF). The findings stated that the energy company failed to handle customers’ data reliably. The regulator also found that user credentials were stored and protected with an MD5 hash declared cryptographically broken and unsuitable for use in 2008.
So, why is 802.1X authentication insecure with EAP-MD5? Companies still use the EAP-MD5 protocol with MD5 algorithms to hash their passwords, making them susceptible to attacks. The MD5 hash has been compromised and is vulnerable to collision attacks, brute force attacks, and malware.
Let’s examine commonly used 802.1X authentication protocols and help you move away from the EAP-MD5 protocol to protect your network better.
What Is IEEE 802.1X Authentication?
The IEEE 802.1X is an IEEE standard for Port-based Network Access Control. The Institute of Electrical and Electronic Engineers Standard (IEEE) is an authentication mechanism for connecting devices to a LAN or Wi-Fi LAN. The IEEE 802.1X authentication needs three parties to complete authentication:
- The user,
- The authenticator
- Authentication server
The authentication servers run software that supports the RADIUS and the EAP Protocols.
WPA2-PSK and the WPA2-Enterprise are commonly used authentication protocols across homes and offices.
The WPA2-PSK (Wi-Fi Protected Access Pre-shared Key) uses a single key for all users. It is easily obtained through unauthorized means and is vulnerable to thefts and attacks. The EAP-MD5 protocol (considered obsolete due to weakness in the algorithm) is one of the commonly used Extensible Authentication Protocols (EAP) in the WPA2 Enterprise for 802.1X authentication.
Security Flaws in the EAP-MD5 Protocol
The EAP-MD5 protocol uses the MD5 hash, a cryptographic algorithm that stores user passwords in a database. At the start of the internet era, websites stored their passwords in clear text. Storing passwords in clear text rendered them unsafe, so the MD5 was developed to obscure passwords in the database.
MD5’s algorithm produces a 32-character hexadecimal string from a password or text. This would make the password inaccessible to the admin, and a thief cannot steal all the passwords from the database directly. However, the EAP-MD5 protocol is still the worst option for securing a network for these reasons:
1. Brute force attacks
A brute force attack can be implemented quickly on an MD5 using passwords like birthdays and special dates, pet names, and kids’ names. MD5 is a quick algorithm, so a bad actor can try several combinations to gain access in a few seconds.
The only way to protect passwords is by increasing the length of the passwords. A minimum of 40 characters with special characters is considered safer, but that can be hacked and lead to a bad user experience.
2. MD5 has big dictionary tables.
The MD5 has a huge password database that has been around for years. If you have a password inside this database, likely, your account is already compromised. Passwords occupy a lot of disk space in the database and get expensive as it’s a recurring expense for a very time.
3. Low collision resistance
The MD5 has low collision resistance and issues with cryptography. The MD5 hashes passwords in clear text to protect their integrity. Suppose “123edf and 123bac are two different passwords with different characters but the same hash. In that case, the collision property is terrible as it’s easy to guess, making MD5 unsuitable for securing a network.
Alternatives to EAP-MD5
PEAP-MSCHAPv2
The PEAP-MSCHAPv2 uses the MD4 algorithm to hash passwords. The MD4 hash was found to have been compromised, and a full-blown collision attack was published in 1995, subsequently followed by more attacks. An MD4 can be hacked, and the original user is authorized to perform any action on the network.
However, organizations with the legacy Active Directory (AD) still use the PEAP-MSCHAPv2 authentication protocol as it is a requirement to secure users in the AD.
EAP-TLS
The EAP-TLS is the best option for secure user authentication over a network. EAP-TLS is a certificate-based security authentication that uses X.509 digital certificates, which are unique for every device. It is highly secure and is proven to fight any attacks on a network to mitigate its vulnerability.
Information for authentication on the EAP-TLS is sent through a tunnel. It is encrypted and cannot be accessed by an impersonator or a hacker. If the network is hacked, the obtained credentials would be encrypted and cannot be decrypted, rendering it unusable.
Shift to Certificate-Based Authentication (CBA) With EAP-TLS for a Secure Network
An authentication protocol like the EAP-MD5 protocol is obsolete as the cryptography has been compromised and is proven to be vulnerable to MITM or phishing attacks. The PEAP-MSCHAPv2 uses the MD4 to hash passwords that are considered unusable again. However, the EAP-TLS protocol uses certificates to authenticate users on a network, making it secure as it is impossible to duplicate or use them in multiple systems.
SecureW2s Managed PKI helps you shift from an insecure authentication protocol to a Zero-Trust-based solution quickly and seamlessly. With our vendor-neutral Managed PKI, you can secure your network with digital certificates that deliver passwordless, identity context-based security.
Our MultiOS onboarding solution provides a zero-touch certificate enrollment experience for an array of managed and BYODs, making the shift to better security more accessible than ever. Read here to see how a healthcare company secures confidential data through digital certificates.
Contact us and see how improved network security can benefit your business.
