[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: shared secret vulnerability
Paul Funk wrote:
> The idea is that you take an ordinary secret, hash it many times,
> and get a resulting "amplified" shared secret that multiplies the
> difficulty of attack by the number of times it has been hashed. The
> draft suggests 0x100000 (~ one million) iterations, adding 2 ^ 20
> bits of effective entropy to the secret.
While I believe this algorithm is effective at adding entropy to a
password such as the RADIUS secret, it does not resolve the issue of a
widespread shared secret distributed throughout an organization. Without
a mechanism in place to regularly change the secret, the use of shared
secrets in this fashion is reminiscent of WEP pre-shared keys. As most
people are painfully aware, shared secret do not stay secretive.
That being said, I like Paul's idea for effectively adding entropy to
the shared secret that will prolong a brute-force attack. However, I do
not believe that this is effective at resolving weak authentication
between the RADIUS authentication server and NAS.
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.