AW: understanding
Phil Mayers
p.mayers at imperial.ac.uk
Fri Mar 30 11:46:49 CEST 2012
On 30/03/12 10:18, Heinrich, Sebastian wrote:
> We don't want to install certificates on the clients, but the problem
> that is given in wikipedia is that anybody can install an access point
> with the same ssid and a client that would connect with it would give
> him his MSCHAP encrypted username and password. How easy is it to crack
Correct.
> such a password? An authentification wouldn't have happened but the
MSCHAP and even MSCHAPv2 are old specifications. They were created
before the renaissance of modern crypto, and they are not, in my view,
very good algorithms.
I would not trust MSCHAP or MSCHAPv2 to be secure against a
known-ciphertext attack.
> attacker would have had the encrypted usernames and passwords. That is a
> problem because in my configuration that usernames and passwords are
> used for the active directory. So is it only secure to connect to the AD
> when checking the certificates? Or is there another possibility to make
Yes. It is only secure if you check the certificates.
> it secure without installing certificates?
No.
More information about the Freeradius-Users
mailing list