Re: Submission for RADIUS extensions working group

[Barney Wolff <barney@databus.com>]

On Fri, Jul 30, 2004 at 07:48:03AM -0700, Bernard Aboba wrote:
> We have had a late submission relating to RADIUS security vulnerabilities.
> I've allocated time for discussion of this within the Thursday session.
> 
> Since the draft submission deadline has closed, the document is available
> for examination here:
> http://www.drizzle.com/~aboba/RADEXT/radius_vuln_00.txt

Since I won't be at the meeting, I'll make my comments here.

A draft discussing faulty implementations, by name, would be useful.
So would problem reports to the vendors/authors of said faulty
implementations.

A draft pointing out, yet again, that shared-secret crypto depends
on an adequately long and not widely shared key, is not.

If one were going to expound on RADIUS vulnerabilities, the most
serious one in my opinion is that the CHAP response is unencrypted,
thus exposing users' secrets to offline attack.  That makes user-chosen
CHAP secrets very risky.  Hardly new news.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>