Any One-Time password system.
Phil Mayers
p.mayers at imperial.ac.uk
Thu May 16 16:19:58 CEST 2013
On 16/05/13 14:27, Sergii Bieliaievskyi wrote:
>
> 2013/5/16 Alan DeKok <aland at deployingradius.com
> <mailto:aland at deployingradius.com>>
>
> Sergii Bieliaievskyi wrote:
> > This is so frustrating :(
> > How it can be possible to do strong security using reliable passwords
> > and to have no encryption in the same time.
>
> I think you misunderstand the issues.
>
> OTP passwords were created so that it doesn't *require* that the
> password be hidden.
>
> Systems like MSCHAP were created so that the passwords could be used
> many times, because they're hashed.
>
> The two systems are *designed* to be incompatible.
>
>
> But only ms-chap supports data encryption. I want to use OTP and MPPE
> simulteniosly. But MPPE without ms-chap cann`t exist. Am I right?
No.
MPPE requires encryption keys. These can be generated by whatever auth
method.
If you use plain MSCHAP, MSCHAP generates them.
If you use PEAP/MSCHAP, PEAP generates them - the MSCHAP MPPE keys are
thrown away, and not used.
If you use PEAP/GTC, again PEAP generates the MPPE keys.
If you use TTLS/PAP, TTLS generates the MPPE keys.
More information about the Freeradius-Users
mailing list