[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Issue: draft-ietf-radext-digest-auth-06.txt Digest MD5-sess
On Thu, 29 Dec 2005, Alan DeKok wrote:
That's what cookies are for. See my "mod_auth_radius" for an
implementation that authenticates the user once, and uses a cookie for
the following HTTP sessions. The module isn't perfect (by any means),
but the general concept goes like this:
Session1 : get authentication data from the user
pass to radius server
if access-accept
cookie = MD5(authentication data + secret + timestamp) + ...
SessionN : get authentication data from the user
validate cookie
if cookie has expired or is invalid, re-auth the user
else let them in.
I assume you are aware that Digest MD5-sess iss running circles around the
above scheme in terms of security thanks to the replay protection provided
by the nonce-count in the Digest protocol. The above proposed scheme can
only be considered reasonably secure if combined with end-to-end transport
security (i.e. https for encryption). Even if using a more secure hash
than MD5 in your cookie is taken into account.
I would very, very, much recommend against pushing authentication
data to the client without a detailed security review of the
implications. Since there are pre-existing methods for implementing
what you want without changing RADIUS, I would recommend against
changing RADIUS.
I can do what I want with the proposed radius digest draft already, just
has to bend the RADIUS exchanges slightly as explained a few minutes ago.
The proposed changes is only to allow this to be done without lying to the
RADIUS server, and only as an optional feature.
Regards
Henrik
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>