Ok, I have more context for my question: Does Freeradius support something similar to Cisco's use of key-wrap as defined in https://tools.ietf.org/html/draft-zorn-radius-keywrap-18 ? In their implementation they define a way to securely transmit cryptographic keying material (such as from an EAP conversation) between NAS and Radius server using a a keywrap around the keying material to protect encryption key distribution. Supposedly this "protects" a man-in-the-middle from grabbing the EAP keys? I'm not sure how this increases security because you can't do anything with the public keys anyway. But I suppose it's a "stronger" way of encrypting that information as opposed to the standard hash that's currently done. The reason I'm asking, I'm doing some contract work for a university. The bosses want to know, presumably because they have some compliance requirements they need to satisfy. I see a few past discussion of this from the mailing list, but no clear answer on whether freeradius does this. -- --- Michael Martinez http://www.michael--martinez.com
On Apr 10, 2016, at 12:38 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
Ok, I have more context for my question:
Does Freeradius support something similar to Cisco's use of key-wrap as defined in https://tools.ietf.org/html/draft-zorn-radius-keywrap-18
No.
In their implementation they define a way to securely transmit cryptographic keying material (such as from an EAP conversation) between NAS and Radius server using a a keywrap around the keying material to protect encryption key distribution.
That's nonsense.
Supposedly this "protects" a man-in-the-middle from grabbing the EAP keys? I'm not sure how this increases security because you can't do anything with the public keys anyway. But I suppose it's a "stronger" way of encrypting that information as opposed to the standard hash that's currently done.
Maybe. No one has broken the current method, so that argument is not really relevant.
The reason I'm asking, I'm doing some contract work for a university. The bosses want to know, presumably because they have some compliance requirements they need to satisfy.
It would help to describe those requirements. If it's "use Cisco gear", we can't help you. If it's "use Cisco non-standard stuff because of some bullshit sense of security", we can't help you. If it's "does FreeRADIUS do RADIUS", we can help you. RADIUS is secure. No one has broken it. Alan DeKok.
On Sun, Apr 10, 2016 at 10:15 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Apr 10, 2016, at 12:38 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
Ok, I have more context for my question:
Does Freeradius support something similar to Cisco's use of key-wrap as defined in https://tools.ietf.org/html/draft-zorn-radius-keywrap-18
No.
Thanks for the answer. I agree with what you're saying. I'm sure Cisco implemented this for no other reason than a "feel good" thing for management. I agree it doesn't do anything to increase security. My understanding of key-wrap is that it is useful only in cases where you want to change the key without re-encrypting all the data (eg TrueCrypt: https://www.linkedin.com/pulse/encryption-what-key-wrapping-frank-hi%C3%9Fen), or in cases where for some reason you want to encrypt stuff without using random keys (http://crypto.stackexchange.com/questions/1107/why-do-we-need-special-key-wr...), but in both cases it does nothing to increase security.
It would help to describe those requirements.
That's all they gave me: "does freeradius support key-wrap?" And from that I'm pretty sure they're referring to the use of a keywrap to encapsulate the transmission of keys. And you've answered that Freeradius doesn't do it, nor does it need to. -- --- Michael Martinez http://www.michael--martinez.com
participants (2)
-
Alan DeKok -
Michael Martinez