shared secret length limitation
Hello, Is there any limitation on the max length of the shared secret ? I can't find any information from RFC2865. It is only stated that the shared secret MUST not be empty (length 0) to prevent packets from being forged easily, but it is not stated what the max length is. What is the common practice used by radius servers and clients ? Some implementations limit the shared secret to be between 1 - 128 characters. But Freeradius limits the shared-secret to 32. What is the rational behind this ? regards, lara = La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - __ Do you Yahoo!? Yahoo! Movies - Buy advance tickets for 'Shrek 2' http://movies.yahoo.com/showtimes/movie?mid=1808405861 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: shared secret length limitation
Lara Adianto [EMAIL PROTECTED] wrote: What is the common practice used by radius servers and clients ? Not too short, not too long. 16 is a very common length. But Freeradius limits the shared-secret to 32. What is the rational behind this ? Any longer than that, and it starts becoming unmanagable. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: shared secret length limitation
Is 16 bytes enough to protect the server from brute force attack ? Well assuming JUST the alphabet was used in the same case thats: 16^26 = 20282409603651670423947251286016 possible combinations take a while to search that space.. and the limit is 32, Alan said 16 is common. I think we are safe for a while :) -- - Graeme Hinchliffe (BSc) Core Team Member Zen Internet (http://www.zen.co.uk/) ICQ 3842605 (link) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: shared secret length limitation
On Thu, May 13, 2004 at 11:25:34AM +0100, Graeme Hinchliffe wrote: Well assuming JUST the alphabet was used in the same case thats: 16^26 = 20282409603651670423947251286016 possible combinations Sorry for pedantry, not 16^26 but 26^16 = 4.36087428994289e+22 ;-) That is, assuming N is a desired number of combinations, A is an alphabet capacity (26 here), ln() is natural logarithm, we got (nearly) enough shared secret length L: L = ln(N) / ln(A). -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: shared secret length limitation
On Thu, 13 May 2004 16:38:37 +0400 Alexander M. Pravking [EMAIL PROTECTED] wrote: On Thu, May 13, 2004 at 11:25:34AM +0100, Graeme Hinchliffe wrote: Well assuming JUST the alphabet was used in the same case thats: 16^26 = 20282409603651670423947251286016 possible combinations Sorry for pedantry, not 16^26 but 26^16 = 4.36087428994289e+22 ;-) Bah! :) well it's a big number either way you look at it :) (I always get confused :) ) -- - Graeme Hinchliffe (BSc) Core Team Member Zen Internet (http://www.zen.co.uk/) ICQ 3842605 (link) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html