[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: digest-auth negotiation issue

To: Henrik Nordstrom <henrik@henriknordstrom.net>
Subject: Re: digest-auth negotiation issue
From: "Alan DeKok" <aland@ox.org>
Date: Tue, 10 Jan 2006 18:56:59 -0500
Cc: radiusext@ops.ietf.org
In-reply-to: Your message of "Wed, 11 Jan 2006 00:33:26 +0100." <Pine.LNX.4.61.0601091822310.19927@localhost.localdomain>

Henrik Nordstrom <henrik@henriknordstrom.net> wrote:
> Additionally the strength of the Digest hashing as such is also partly a 
> property of the how well the RADIUS client chooses it's nonces in this 
> mode of operation.. If the client is really poorly implemented and only 
> selects between a small set of nonces it could make Digest open to replay 
> attacks, no matter how good the RADIUS server implementation is. But the 
> opposite is also true in that in scenario 2 the client can not choose 
> stronger nonces if it is found the RADIUS server is poorly implemented...

  There are an order of magnitude or two fewer RADIUS server
implementations than clients.  For that alone, I would worry more
about poor client implementations than server implementations.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- Re: digest-auth negotiation issue
  - From: Henrik Nordstrom <henrik@henriknordstrom.net>

Prev by Date: Re: digest-auth negotiation issue
Next by Date: Slides regarding GEOPRIV and RADIUS (orig. IETF 64)
Previous by thread: Re: digest-auth negotiation issue
Next by thread: [Issue] multiple source addresses
Index(es):
- Date
- Thread