On Thu, Aug 26, 2004 at 10:00:55AM -0700, Joseph Salowey wrote:
Note that Message-Authenticator is based on HMAC-MD5. Recent
research has demonstrated collisions in MD5 (though not in
HMAC-MD5), so that it may make sense to define a new
attribute that uses a more highly regarded algorithm, such as
HMAC-SHA1.
[Joe] See
http://www.ietf.org/internet-drafts/draft-zorn-radius-keywrap-01.txt, this
defines an attribute that can SHA for message authentication.
As I read the chatter on the crypto list, it's premature to assume that
SHA-1 will survive better than MD5, although it probably will. Arguments
have been made that HMAC-MD5 will not fall to MD5 attacks. I'd suggest
waiting at least a couple of weeks for the smoke to clear before acting.
We do know that the RADIUS Authenticator has long been considered inferior
to HMAC-MD5, and the recent issues may seal its fate. It's therefore
prudent to consider how to react when, or before, the authenticator is
broken. Certainly boxes that have sufficient cpu and codespace can use
IPsec, as has already been suggested. What, if anything, to do for/with
boxes that cannot run IPsec is an open question.