[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: shared secret vulnerability

To: radiusext@ops.ietf.org
Subject: Re: shared secret vulnerability
From: David Mitton <david@mitton.com>
Date: Wed, 04 Aug 2004 19:28:01 -0400
In-reply-to: <41114C1A.4000604@hasborg.com>
References: <5.2.0.9.2.20040802125051.03d20230@mail.funk.com> <41114C1A.4000604@hasborg.com>

At 8/4/2004 04:50 PM, Joshua Wright wrote:

While I believe this algorithm is effective at adding entropy to a password such as the RADIUS secret, it does not resolve the issue of a widespread shared secret distributed throughout an organization. Without a mechanism in place to regularly change the secret, the use of shared secrets in this fashion is reminiscent of WEP pre-shared keys. As most people are painfully aware, shared secret do not stay secretive.

While I agree with the sentiment, I'd like to attempt to point out another possible implementation issue.

Unlike WEP, there is nothing in RADIUS that requires the shared secrets to be the same for all partners. In many (most?) implementations, the secret can be unique for each source IP address. Essentially any pair of RADIUS client/servers can have unique secrets.

Dave.


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- shared secret vulnerability
  - From: Paul Funk <paul@funk.com>
- Re: shared secret vulnerability
  - From: Joshua Wright <jwright@hasborg.com>

Prev by Date: RE: shared secret vulnerability
Next by Date: Re: shared secret vulnerability
Previous by thread: Re: shared secret vulnerability
Next by thread: Re: shared secret vulnerability
Index(es):
- Date
- Thread