Re: FW: I-D ACTION:draft-zorn-radius-encattr-00.txt

["Alan DeKok" <aland@ox.org>]

"Glen Zorn (gwz)" <gwz@cisco.com> wrote:
> FYI, general-purpose scheme for encrypting/transmitting/decrypting
> arbitrary RADIUS attributes.

  Nice.  Minor nit: It references keywrap-03, which isn't in the I-D
archive yet.

  Have you considered using a HMAC header as part of the
Encrypted-Attribute, rather than a separate attribute?

  e.g.    Encrypted-Attribute[s] = HMAC(encrypted_data) + encrypted_data

  This allows the Encrypted-Attribute to be "stand-alone", and avoids
having the HMAC calculation depend on other, non-encrypted data.  In
addition, the Message-Authentication-Code has different algorithms for
different kinds of packets, which makes implementation a little more
awkward.

  Having the Encrypted-Attribute contain its own HMAC ensures that
it's calculation can be done with only "local" information about the
attributes to be encrypted, and not require any "outside" data like
authentication vectors or other attributes.

  Alan DeKok.


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>