radius user-password on the wire
Michael Lecuyer
mjl at theorem.com
Tue Apr 29 16:06:54 CEST 2008
The User-Password value is a MD5 chained pad based on the shared secret
and packet authenticator. The password is XOR'd over the pad and this is
chained to the next pad. The process is reversible.
Essentially this is as close to a perfect encryption scheme as you can
get - entirely depending on the cryptographic strength of the
authenticator's randomness, the shared secret, and the MD5 message
digest algorithm.
It's probably good enough depending on who's snooping. Computer
randomness is not great, the MD5 algorithm has collisions, and your
shared secret could be poor or compromised.
Riccardo Veraldi wrote:
> Hello,
> I used wireshark to sniff communication between my radisu server and
> the user-password attribute is encrypted
>
>
> 0000 3e ca 2d b0 97 2b b3 f9 0c e9 fc e7 e0 ed e9 fd
>
>
> to test if this is strong enough I wanted to ask if there is a way to
> decrypt
> this user-password attribute since my radisu server is doign proxy to
> other radius server.
>
> actually my radius server is authenticating a WiFi captive portal
> and is prosying requests upon username at domainname
>
> user attributes are stripped from domain and sent to proper radius server
>
> my question is how much is risky to have user-passsword attribute
> travellign across
> the network ? is the encryption applyed to the user-password strong
> enough ?
>
> thanks
>
> Rick
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
More information about the Freeradius-Users
mailing list