The Realization of the RADIUS Security

Authentication
Xiao Luo
Department of Industrial Design and Information Engineering
Beijing Institute of Clothing Technology
Beijing, CHINA

AbstractAlong with the rapid growth of internet, the

importance of safe network authentication becomes more evident
than ever before. Cryptography mainly cares about secrecy in
communication. Encrypting the transmitting data could prevent
others from stealing important information, but this only solves
the problem on the one hand, as for how to prevent them from
destroying important data would be additional problems. Digital
signature is a further application beyond data encryption. Digital
signature is always companioned with Hash functions, which is a
kernel of modern cryptography. Therefore, the network security
authentication based on RADIUS protocol, which can be realized
by digital signature, is mainly studied in this paper. During the
identification process, RADIUS server sends encrypted bytes to
the clients in order to verify their identities, and the clients will
encrypt the information using these received bytes. And on the
basis of the above work, the authentication scheme grounded on
RADIUS protocol is proposed. Because it is the one-way
encrypting arithmetic, even though the clients important
information is stolen by means of network embezzlement or
illegal invasion to the databases, the one will only get the
unidentified encrypted codes. The security of the identified
information will be effectively guaranteed by digital signature
during the network authentication process.

II.

RADIUS PROTOCOL

A. Radius
RADIUS is Remote Authentication Dial-In User Service,
which can protect the networks by refusing the illegal users.
RADIUS contains four parts as follows:
y

Protocol: RFC 2865 and RFC 2866

Port: 1812 as authentication and 1813 as account port

Server: RADIUS server contains the information of users

accounts and networks accessing

Client Server

B. Radius Interaction Procedure

The authentication key is transferred between the client and
server. The interaction procedure is aV Fig.1:

Keywords-RADIUS; Security Authentication; Digital Signature

I.

BACKGROUND

Along with the rapid development of information

technology, the computer network is applied in many fields of
peoples life. Although the network brings so much
convenience, the problem of networks safety is more and
more serious.
The identity authentication can distinguish the different
users. It is the available method in ensuring the network
security. By this way, users identities can be validated and
someone will be refused who can not pass the authentication
process.
The digital signature used in the paper can compress the
vast information into special format. Because it can not be
reversed, the original value can not be gotten even if the
information is embezzled.
Therefore, we apply this kind of algorithm to realize the
Radius security authentication in this paper.

Figure 1. RADIUS interaction procedure

1) User inputs the name and password.

2) According to the input information, the RADIUS client
sends Access-Request to the server.

Hubei Digital Textile Key Laboratory DTL200707

978-1-4244-2108-4/08/$25.00 2008 IEEE

3) Comparing the users information with the server

database, the Access-Accept package will be sent back to the
client if the authentication is passed. Otherwise, the AccessReject will be returned.

B. Append Length
At this point the resulting message has a length that is an
exact multiple of 512 bits. Equivalently, this message has a
length that is an exact multiple of 16 (32-bit) words.

4) Based on the received information, the client accepts or

refuses the user. If the user is accepted, the client will send the
Accounting-Request to the server and its status type changes to
start.

C. Initialize MD Buffers
A four-word buffer is used to compute the message digest.

5) The server returns the Accounting-Response (start).

Here each of A, B, C, D is a 32-bit register. These registers

are initialized to the following values in hexadecimal:

6) Users can access the internet resource.

A: 01 23 45 67; B: 89 ab cd ef; C: fe dc ba 98; D: 76 54 32 10

7) The client sends the Accounting-Request package to the

server and its status type changes to stop.
8) The server returns the Accounting-Response (stop).

D. Linear Function
Define four auxiliary functions that each take as input three
32-bit words and produce as output one 32-bit word as follows:

9) The access procedure finishes.

The whole authentication flow is as Fig.2:

F(X,Y,Z) = XY v not(X) Z
G(X,Y,Z) = XZ v Y not(Z)
H(X,Y,Z) = X xor Y xor Z
I(X,Y,Z) = Y xor (X v not(Z))

(1)

The Fig.3 is the main cycle flow. According to the graph,

we do the following:

Figure 2. RADIUS authentication flow chart

III.

DIGITAL SIGNATURE

The algorithm takes as input a message of arbitrary length

and produces as output a 128-bit "fingerprint" or "message
digest" of the input. It is conjectured that it is computationally
infeasible to produce two messages having the same message
digest, or to produce any message having a given prespecified
target message digest. The algorithm is intended for digital
signature applications, where a large file must be compressed
in a secure manner before being encrypted with a private key.
A. Append Padding Bits
A single "1" bit is appended to the message, and then "0"
bits are appended so that the length in bits of the padded
message becomes congruent to 448, modulo 512.

Figure 3. Cycle flow

/* Process each 16-word block. */

For i = 0 to N/16-1 do
/* Copy block i into X. */
For j = 0 to 15 do
Set X[j] to M[i*16+j].
End
/* Save A as AA, B as BB, C as CC, and D as DD. */
AA = A
BB = B

978-1-4244-2108-4/08/$25.00 2008 IEEE

CC = C
DD = D
/* Round 1. */
[ABCD 0 7 1] [DABC 1 12 2] [CDAB 2 17 3] [BCDA 3 22
4]
[ABCD 4 7 5] [DABC 5 12 6] [CDAB 6 17 7] [BCDA 7 22
8]
[ABCD 8 7 9] [DABC 9 12 10] [CDAB 10 17 11] [BCDA
11 22 12]
[ABCD 12 7 13] [DABC 13 12 14] [CDAB 14 17 15]
[BCDA 15 22 16]
/* Round 2. */
[ABCD 1 5 17] [DABC 6 9 18] [CDAB 11 14 19] [BCDA
0 20 20]
[ABCD 5 5 21] [DABC 10 9 22] [CDAB 15 14 23] [BCDA
4 20 24]
Figure 4. One procedure flow

[ABCD 9 5 25] [DABC 14 9 26] [CDAB 3 14 27] [BCDA

8 20 28]
[ABCD 13 5 29] [DABC 2 9 30] [CDAB 7 14 31] [BCDA
12 20 32]
/* Round 3. */
[ABCD 5 4 33] [DABC 8 11 34] [CDAB 11 16 35] [BCDA
14 23 36]
[ABCD 1 4 37] [DABC 4 11 38] [CDAB 7 16 39] [BCDA
10 23 40]
[ABCD 13 4 41] [DABC 0 11 42] [CDAB 3 16 43] [BCDA
6 23 44]
[ABCD 9 4 45] [DABC 12 11 46] [CDAB 15 16 47]
[BCDA 2 23 48]
/* Round 4. */
[ABCD 0 6 49] [DABC 7 10 50] [CDAB 14 15 51] [BCDA
5 21 52]
[ABCD 12 6 53] [DABC 3 10 54] [CDAB 10 15 55]
[BCDA 1 21 56]

E. Output
The message digest produced as output is A, B, C and D.
We begin with the low-order byte of A, and end with the highorder byte of D.
IV.

THE REALIZATION OF RADIUS SECURITY

AUTHENTICATION

In the network authentication, we use NAS as the client,

Radius as the server. The validity of users can be verified by
the share encryption keys (SK). See also the Fig.5.
Firstly, when the users apply the accounts, the server
transforms the accounts and passwords to digital signature and
stores them in the server.
Secondly, when the users access the network in the next
time, they need to input the information of usernames and
passwords. The program encrypts this information for one
thing and sends it to the server.

[ABCD 8 6 57] [DABC 15 10 58] [CDAB 6 15 59] [BCDA

13 21 60]
[ABCD 4 6 61] [DABC 11 10 62] [CDAB 2 15 63] [BCDA
9 21 64]
A = A + AA
B = B + BB
C = C + CC
D = D + DD
End
The Fig.4 shows the one procedure of the whole cycle.
Figure 5. RADIUS authentication system

978-1-4244-2108-4/08/$25.00 2008 IEEE

And then, when it receives the data, the server queries the
relevant information in databases. If the query is successful, the
user will be allowed to access the web. Contrarily, the
authentication is failed. The Fig.6 shows the authentication
procedure.

Figure 6. Authentication sketch map

According to the radius protocol, the realization procedure

is as follows:
A. Access Request
NAS generates random data RA and fills it with
authenticator field. The null bits are appended to the userpassword message so that the length in bits of the padded
message becomes exact multiple of 16 bits.

C(1) = [P(1)] xor [MD(SK+RA)]

C(2) = [P(2)] xor [MD(SK+C(1))]
C(3) = [P(3)] xor[MD(SK+C(2))]

C(K) = [P(K)] xor[MD(SK+C(K-1))]

(2)

B. Access Responses
P(1) = [C(1)] xor [MD(SK+RA )]
P(2) = [C(2)] xor [MD(SK+P(1))]
P(3) = [C(3)] xor [MD(SK+P(2))]

P(K )= [C(K)] xor [MD(SK P(K-1))]

User-Password = P(1)+P(2)+...+P(K)

Figure 7. RADIUS authentication flow

V. CONCLUSIONS
Nowadays, as information safety is regarded as an
important problem by the society, the network security
authentication is paid more and more attention. The algorithm
discussed in this paper takes as input a message of arbitrary
length and produces as output a 128-bit digital signature of the
input. It is conjectured that it is computationally infeasible to
produce two messages having the same message digest, or to
produce any message having a given prespecified target
message digest. Because the data can not be permitted to
exchange directly, the safety of network can be ensured
effectively by this way discussed in the paper. Meanwhile, this
authentication system can fundamentally eliminate the
sensitive information leakage owing to the broadcast
characteristic of the network.
REFERENCES
[1]

(3)
[2]
[3]

The original user-password can be gotten by deleting the

null bits. If it is licit, the access package will be sent to the
radius server. The detailed interaction is as Fig.7.

[4]
[5]
[6]

Rafael Marin Lopez, PGregorio Martinez Perez, and PAntonio F.

Gomez Skarmeta, Deployment of AAA infrastructures in IPv6
networks, Proceedings of the 2005 Symposium on Applications and the
Internet Workshops, Washington, pp. 2629, 2005.
PRoss Anderson, A new family of authentication protocols, ACM
SIGOPS Operating Systems Review. New York, 1998, pp.920.
Burt Kaliski, A survey of encryption standards, IEEE Micro.CA
Academic, 1993, pp. 7481.
Allan Leinwand, Bruce Pinsky, Cisco Router Configuration, Alpel
Publishing, 2000.
Jonathan Hassell, Radius, O'Reilly & Associates., in press.
Tzong-Sun Wu, Chien-Lung Hsu, Convertible authenticated encryption
scheme, Journal of Systems and Software, NY, pp. 205209.

978-1-4244-2108-4/08/$25.00 2008 IEEE