Re: More problems with RADIUS (protocol and implementations)

From: Joshua Hill (joshat_private)
Date: Tue Nov 13 2001 - 12:54:38 PST

Next message: Miquel van Smoorenburg: "Re: More problems with RADIUS (protocol and implementations)"

Previous message: grugq: "Subversive Dynamic Linking on UNIX Platforms"
In reply to: alandat_private: "Re: More problems with RADIUS (protocol and implementations)"
Next in thread: Miquel van Smoorenburg: "Re: More problems with RADIUS (protocol and implementations)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Nov 13, 2001 at 12:16:02PM -0500, alandat_private wrote:
>   Some points in that message were also covered by Joshua, he added a
> number of good points, and missed a few others.  Specifically, rfc2869
> defines the Message-Authenticator attribute, which is used to sign
> packets.  This signature allows Access-Request packets to be verified,
> negating the security problems of spoofed packets.

Unless the attacker simply removes the Message-Authenticator from
the packets before replaying them...

Leaving out any reference to rfc2869 was an oversight on my part.  I
recently updated the online version of my analysis with pertinent
information regarding the Message-Authenticator.  Take a look at the
last two paragraphs of section 4.2 at:
 http://www.untruth.org/~josh/security/radius/radius-auth.html

			Thanks for your comments,
			Josh

Next message: Miquel van Smoorenburg: "Re: More problems with RADIUS (protocol and implementations)"
Previous message: grugq: "Subversive Dynamic Linking on UNIX Platforms"
In reply to: alandat_private: "Re: More problems with RADIUS (protocol and implementations)"
Next in thread: Miquel van Smoorenburg: "Re: More problems with RADIUS (protocol and implementations)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Nov 13 2001 - 16:41:06 PST