Hi, First i'll reply to your comments:
Use RADIUS the way it was designed. The people who've spent 20 years working with it are competent.
I never said that were not competent. I was only refering to the fact that time changes perspective on security standards, as hardware and theoretical knowledge advance. Mainly because of this, I want to select strong modern cryptography now, to ensure it's security for the first decade.
Honestly, do you think in 2015 that we'd be recommending the use of protocols which were broken and insecure? Even Microsoft doesn't do that any more.
I hoped not (as my research showed), but fact is that cryptography is a complex field. Still there are a lot of services that (only) use insecure encryption, but that is an entirely other topic. I looked some further into the protocol. Because other people might stumble onto this thread, i'll give links to some useful resources. A good resource (although 13 years old) is: https://msdn.microsoft.com/en-us/library/bb742489.aspx (Why do you always find the useful resources after you really needed them?) Based on some slides of a guest lecture of an Eduroam engineer (which I can not share): User-Password = password XOR MD5(RequestAuth + Secret) (for passwords of length up to 16 - chaining procedure for longer passwords) 2015-08-21 12:21 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On Aug 21, 2015, at 5:29 AM, Qrious <Qrious@semtexgaming.com> wrote:
I'm setting up a RADIUS server which among others has to be linked to PAM. One of my primary requirements is that is uses secure cryptography. The main question is:
1. Does the PAM Radius module support EAP-TTLS with an inner tunnel of PAP?
No.
Most supported protocols are based on MD5, which has been severly comprimised[1], or a single DES key (MSCHAP V2) [2], which is also comprimised. So that only leaves the TLS based protocols,
That's a simplistic approach. Relying on buzzwords is no substitute for understanding.
The truth is that the use of MD5 in RADIUS has no known security problems. So your worries are unfounded.
If you know a more secure setup, don't hesitate to advice me :). Also if I made a mistake somewhere, don't hesitate to correct me :)
Use RADIUS the way it was designed. The people who've spent 20 years working with it are competent.
As a final remark, I think it would be beneficial for the security of many account details, both transfered and stored for (FREE)RADIUS, to include clear warnings on the pages about insecure protocols/authentication standards.
No. Because there are no security problems.
Honestly, do you think in 2015 that we'd be recommending the use of protocols which were broken and insecure? Even Microsoft doesn't do that any more.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html