shared secret length limitation

2004-05-13 Thread Lara Adianto
Hello,

Is there any limitation on the max length of the
shared secret ?
I can't find any information from RFC2865. It is only
stated that the shared secret MUST not be empty
(length 0) to prevent packets from being forged
easily, but it is not stated what the max length is.
What is the common practice used by radius servers and
clients ?
Some implementations limit the shared secret to be
between 1 - 128 characters.
But Freeradius limits the shared-secret to 32. What is
the rational behind this ?

regards,
lara

=
 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de 
Maupassant -





__
Do you Yahoo!?
Yahoo! Movies - Buy advance tickets for 'Shrek 2'
http://movies.yahoo.com/showtimes/movie?mid=1808405861 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: shared secret length limitation

2004-05-13 Thread Alan DeKok
Lara Adianto [EMAIL PROTECTED] wrote:
 What is the common practice used by radius servers and
 clients ?

  Not too short, not too long.  16 is a very common length.

 But Freeradius limits the shared-secret to 32. What is
 the rational behind this ?

  Any longer than that, and it starts becoming unmanagable.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: shared secret length limitation

2004-05-13 Thread Graeme Hinchliffe
 Is 16 bytes enough to protect the server from brute
 force attack ?

Well assuming JUST the alphabet was used in the same case thats:

16^26 = 20282409603651670423947251286016  possible combinations

take a while to search that space.. and the limit is 32, Alan said 16 is
common.

I think we are safe for a while :)


-- 
-
Graeme Hinchliffe (BSc)
Core Team Member
Zen Internet (http://www.zen.co.uk/)

ICQ 3842605 (link)

Direct: 0845 058 9074
Main  : 0845 058 9000
Fax   : 0845 058 9005


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: shared secret length limitation

2004-05-13 Thread Alexander M. Pravking
On Thu, May 13, 2004 at 11:25:34AM +0100, Graeme Hinchliffe wrote:
 Well assuming JUST the alphabet was used in the same case thats:
 
 16^26 = 20282409603651670423947251286016  possible combinations

Sorry for pedantry, not 16^26 but 26^16 = 4.36087428994289e+22
;-)

That is, assuming N is a desired number of combinations, A is an
alphabet capacity (26 here), ln() is natural logarithm, we got
(nearly) enough shared secret length L:

L = ln(N) / ln(A).

-- 
Fduch M. Pravking

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: shared secret length limitation

2004-05-13 Thread Graeme Hinchliffe
On Thu, 13 May 2004 16:38:37 +0400
Alexander M. Pravking [EMAIL PROTECTED] wrote:

 On Thu, May 13, 2004 at 11:25:34AM +0100, Graeme Hinchliffe wrote:
  Well assuming JUST the alphabet was used in the same case thats:
  
  16^26 = 20282409603651670423947251286016  possible combinations
 
 Sorry for pedantry, not 16^26 but 26^16 = 4.36087428994289e+22
 ;-)

Bah! :)

well it's a big number either way you look at it :)  (I always get
confused :) )

-- 
-
Graeme Hinchliffe (BSc)
Core Team Member
Zen Internet (http://www.zen.co.uk/)

ICQ 3842605 (link)

Direct: 0845 058 9074
Main  : 0845 058 9000
Fax   : 0845 058 9005


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html