Theft of password.

Tahseen Hussain stud3080 at itu.dk
Fri Jun 24 01:22:43 CEST 2005


Hi Stefan,


> Why send clear text passwords over the net at all?
> I.e., why don't you simply use CHAP or a similar
> protocol?


The problem is end-to-end security in proxy chaining envrionment. What
ever may be the protocol(CHAP or any EAP method) proxy server can see the
passwrod since it posses the shared secret key together with the radius
server residing one hop before and after itself. So there is threat of
theft of password. In order to overcome this threat we planned to use
public key cryptography as explained in previous email.

         (request)          (request)          (request)
     NAS ----------> Proxy1 ----------> Proxy2 ---------->  Home
         (reply)            (reply)            (reply)     Server
         <---------         <---------         <---------


To make it more clear lets take help of above figure. Here proxy1 and
proxy2  are threat to user password because both of these proxies can
decrypt the password field and see the password in clear text.

Thanks in advance,

Tahseen.




More information about the Freeradius-Users mailing list