[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Issue 63: Request-ID Supplementation
Bernard Aboba <aboba@internaut.com> wrote:
> The RADIUS Request-ID shouldn't affect this algorithm. However, once the
> Request-ID wraps you've got potentially more serious problems since the
> key stream used in encrypting "hidden" RADIUS attributes should be
> considered compromised.
I agree. And as you noted in your RADIUS security presentation,
this attack is not possible if the Message-Authenticator attribute is
required. This says to me that if we can't deprecate PAP, we should
at least mandate the use of Message-Authenticator.
Alan DeKok.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>