does freeradius support key-wrap

Alan DeKok aland at deployingradius.com
Sun Apr 10 19:15:24 CEST 2016


On Apr 10, 2016, at 12:38 PM, Michael Martinez <mwtzzz at gmail.com> wrote:
> 
> Ok, I have more  context for my question:
> 
> Does Freeradius support something similar to Cisco's use of key-wrap
> as defined in https://tools.ietf.org/html/draft-zorn-radius-keywrap-18

  No.

> In their implementation they define a way to securely transmit
> cryptographic keying material (such as from an EAP conversation)
> between NAS and Radius server using a a keywrap around the keying
> material to protect encryption key distribution.

  That's nonsense.

> Supposedly this "protects" a man-in-the-middle from grabbing the EAP
> keys? I'm not sure how this increases security because you can't do
> anything with the public keys anyway. But I suppose it's a "stronger"
> way of encrypting that information as opposed to the standard hash
> that's currently done.

  Maybe.  No one has broken the current method, so that argument is not really relevant.

> The reason I'm asking, I'm doing some contract work for a university.
> The bosses want to know, presumably because they have some compliance
> requirements they need to satisfy.

  It would help to describe those requirements.

  If it's "use Cisco gear", we can't help you.

  If it's "use Cisco non-standard stuff because of some bullshit sense of security", we can't help you.

  If it's "does FreeRADIUS do RADIUS", we can help you.

  RADIUS is secure.  No one has broken it.

  Alan DeKok.




More information about the Freeradius-Users mailing list