[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: shared secret vulnerability
At 8/4/2004 04:50 PM, Joshua Wright wrote:
While I believe this algorithm is effective at adding entropy to a
password such as the RADIUS secret, it does not resolve the issue of a
widespread shared secret distributed throughout an organization. Without a
mechanism in place to regularly change the secret, the use of shared
secrets in this fashion is reminiscent of WEP pre-shared keys. As most
people are painfully aware, shared secret do not stay secretive.
While I agree with the sentiment, I'd like to attempt to point out another
possible implementation issue.
Unlike WEP, there is nothing in RADIUS that requires the shared secrets to
be the same for all partners. In many (most?) implementations, the secret
can be unique for each source IP address. Essentially any pair of RADIUS
client/servers can have unique secrets.
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.