[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue 63: Request-ID Supplementation

To: Bernard Aboba <aboba@internaut.com>
Subject: Re: Issue 63: Request-ID Supplementation
From: "Alan DeKok" <aland@ox.org>
Date: Tue, 24 May 2005 13:53:39 -0400
Cc: radiusext@ops.ietf.org
In-reply-to: Your message of "Mon, 23 May 2005 21:46:45 PDT." <Pine.LNX.4.56.0505232139040.16272@internaut.com>

Bernard Aboba <aboba@internaut.com> wrote:
> The RADIUS Request-ID shouldn't affect this algorithm.  However, once the
> Request-ID wraps you've got potentially more serious problems since the
> key stream used in encrypting "hidden" RADIUS attributes should be
> considered compromised.

  I agree.  And as you noted in your RADIUS security presentation,
this attack is not possible if the Message-Authenticator attribute is
required.  This says to me that if we can't deprecate PAP, we should
at least mandate the use of Message-Authenticator.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- Re: Issue 63: Request-ID Supplementation
  - From: Bernard Aboba <aboba@internaut.com>

Prev by Date: Re: Issue 63: Request-ID Supplementation
Next by Date: Request for Review of RFC 3576 MIB documents
Previous by thread: Re: Issue 63: Request-ID Supplementation
Next by thread: Issue 61: Multiple Filter-ID Attributes
Index(es):
- Date
- Thread