On Fri, 16 Jul 2004, Daniel Eyholzer wrote: > <[EMAIL PROTECTED]> wrote: > > What is the added benefit of something that is encrypted where > > the algorithm & keys to decrypt are public knowlegde... > > There is no security there, just a false sense of the feeling. > > If the key to decrypt the password is only known by the host running the > radius server and the host with the webfrontend, which permits to enter the > passwords in the ldap server running on a separate host, then IMO it is an > improvement in security, isn't it?
Yes it is. A bigger improvement would be to just use authentication protocols which send encrypted passwords and don't require clear text passwords like MS-CHAP-v2 and ideally EAP-TTLS-EAP. Having LDAP ACIs on the symmetricaly encrypted password and keeping the symmetric key well hidden can provide some security. But: 1. These passwords will only be used by this specific application (dialup) and cannot be used for other services (where you need an LDAP BIND operation for user authentication). So you will eventually need to keep and synchronize two password attributes. 2. With symmetrical encryption the passwords are as secure as the key used to encrypt. If that key is easily guessable or is compromised then ALL your passwords are compromised. Whilst with one way encryption an attacker must compromise each user password separately. 3. If you go down that road you will soon find out that the symmetrical key will magically need to appear in various places, especially if you start basing more applications on these passwords. Each new service will require knowledge of the symmetrical key. In other words adding value will lower password security. It seems to me the whole mechanism is fundamentally flawed. > Daniel > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
