[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: FW: I-D ACTION:draft-zorn-radius-encattr-00.txt



Alan DeKok <> supposedly scribbled:

> "Glen Zorn (gwz)" <gwz@cisco.com> wrote:
>>>   This allows the Encrypted-Attribute to be "stand-alone", and
...
>> 
>> Yes, but the semantic validity of the encrypted data may, in
fact,
>> depend upon the integrity of unencrypted data, so it just seemed
>> better make sure the whole message arrived intact.
> 
>   Hmm... OK.
> 
>   Is there a security issue, then, with the clear-text data being
> related to the encrypted data?  Are there potential attacks? 

I don't think so (though I've never even played a cryptographer on
TV ;-).  The attributes are only semantically related, so for
example it would be bad if (to use the LI example) the User-Name
attribute were to be modified such that surveillance was turned off
(or on) for the wrong person, but the user name gives no hint as to
the contents of the encrypted attributes.

> 
>>> In
>>> addition, the Message-Authentication-Code has different
algorithms
>>> for different kinds of packets, which makes implementation a
little
>>> more awkward.
>> 
>> I don't understand.
> 
>   Sorry, not "different algorithms", but "different treatments".
> 
>   i.e. In order to to calculate the Message-Authentication-Code
for
> Access-Accept, you need the Request Authenticator, and the
attributes
> from the Access-Accept.  So the Message-Authentication-Code
> calculation requires access to information from multiple packets. 

Right, but the new version includes an optional but recommended
Nonce Attribute that solves that problem (among others), I think.
  
> 
>   My feeling is that a MAC in the Encrypted-Attribute feels better
to
> me, but I can see your arguments. 
> 
>   Just my $0.02.
> 
>   Alan DeKok.

Hope this helps,

~gwz

Why is it that most of the world's problems can't be solved by
simply
  listening to John Coltrane? -- Henry Gabriel

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>