[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Open issues on the Crypto-Agility Requirements draft

To: Dave Nelson <d.b.nelson@comcast.net>
Subject: Re: Open issues on the Crypto-Agility Requirements draft
From: Alan DeKok <aland@deployingradius.com>
Date: Thu, 11 Jun 2009 16:31:11 +0200
Cc: 'radext mailing list' <radiusext@ops.ietf.org>
In-reply-to: <4C47BAE932794C2880E4F016A803AA52@NEWTON603>
References: <50C5A1D479B047E5811E487440A824F0@NEWTON603> <4A30AA2C.4060803@deployingradius.com> <4C47BAE932794C2880E4F016A803AA52@NEWTON603>
User-agent: Thunderbird 2.0.0.21 (Macintosh/20090302)

Dave Nelson wrote:
> Well, the term "crypto-agility" implies that the protocol is not bound to
> any *single* cipher-suite.  Substituting SHA-256 for MD5 would not be a
> crypto-agility solution, IMO.  It would be a "fix" for internal RADIUS
> security until such time as SHA-256 becomes ineffective.

  Yes.

> One *could* make the argument that RADIUS doesn't need to be crypto-agile,
> all we need is a "fix" for the internal security mechanisms to tide us over
> until the transport wrapper security mechanisms are widely deployed.

  That's my opinion.  Everyone who has tried to fix RADIUS, or add
negotiation has gotten nowhere.

> In terms of revising the RADIUS Crypto-agility Requirements draft, it would
> be helpful to know whether the WG still thinks that RADIUS needs internal
> security that is indeed crypto-agile.

  Nothing.  Give up on ad-hoc security, and wrap the entire protocol in TLS.

  It makes the "wiretap via RADIUS" issue more difficult.  But I've
never understood we can securely allow third-parties to insert arbitrary
traffic into an AAA exchange, and *without* having one of the parties
notice that the traffic exists.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- RE: Open issues on the Crypto-Agility Requirements draft
  - From: Bernard Aboba <bernard_aboba@hotmail.com>
- RE: Open issues on the Crypto-Agility Requirements draft
  - From: "Glen Zorn" <glenzorn@comcast.net>

References:
- Open issues on the Crypto-Agility Requirements draft
  - From: "Dave Nelson" <d.b.nelson@comcast.net>
- Re: Open issues on the Crypto-Agility Requirements draft
  - From: Alan DeKok <aland@deployingradius.com>
- RE: Open issues on the Crypto-Agility Requirements draft
  - From: "Dave Nelson" <d.b.nelson@comcast.net>

Prev by Date: RE: Open issues on the Crypto-Agility Requirements draft
Next by Date: RE: Open issues on the Crypto-Agility Requirements draft
Previous by thread: RE: Open issues on the Crypto-Agility Requirements draft
Next by thread: RE: Open issues on the Crypto-Agility Requirements draft
Index(es):
- Date
- Thread