[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[radext] #80: Section 3
#80: Section 3
This section isn't just about encryption, but the state of RADIUS security
in general. Suggest the following re-write:
3. The Current State of RADIUS Security
RADIUS packets, as defined in [RFC2865], are protected by an MD5
message integrity check (MIC), within the Authenticator field of
RADIUS packets other than Access-Request. The Message-Authenticator
Attribute utilizes HMAC-MD5 to authenticate and integrity protect
RADIUS packets. Various RADIUS attributes support hidden values,
including: User-Password, Tunnel-Password, and various Vendor-
Specific Attributes. Generally speaking, the hiding mechanism uses a
stream cipher based on a key stream from an MD5 digest.
Recent work on MD5 collisions does not immediately compromise any of
these methods, absent knowledge of the RADIUS shared secret.
However, the progress toward compromise of MD5's basic cryptographic
assumptions has resulted in the deprecation of MD5 usage in a variety
of applications.
--
---------------------------------------+------------------------------------
Reporter: bernard_aboba@â | Owner:
Type: defect | Status: new
Priority: minor | Milestone: milestone1
Component: Crypto-Agility | Version: 1.0
Severity: Active WG Document | Keywords:
---------------------------------------+------------------------------------
Ticket URL: <https://wiki.tools.ietf.org/wg/radext/trac/ticket/80>
radext <http://tools.ietf.org/radext/>
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>