does freeradius support key-wrap

Michael Martinez mwtzzz at gmail.com
Sun Apr 10 19:30:38 CEST 2016


On Sun, Apr 10, 2016 at 10:15 AM, Alan DeKok <aland at deployingradius.com> wrote:
> On Apr 10, 2016, at 12:38 PM, Michael Martinez <mwtzzz at gmail.com> wrote:
>>
>> Ok, I have more  context for my question:
>>
>> Does Freeradius support something similar to Cisco's use of key-wrap
>> as defined in https://tools.ietf.org/html/draft-zorn-radius-keywrap-18
>
>   No.

Thanks for the answer. I agree with what you're saying. I'm sure Cisco
implemented this for no other reason than a "feel good" thing for
management. I agree it doesn't do anything to increase security.

My understanding of key-wrap is that it is useful only in cases where
you want to change the key without re-encrypting all the data (eg
TrueCrypt: https://www.linkedin.com/pulse/encryption-what-key-wrapping-frank-hi%C3%9Fen),
or in cases where for some reason you want to encrypt stuff without
using random keys
(http://crypto.stackexchange.com/questions/1107/why-do-we-need-special-key-wrap-algorithms),
but in both cases it does nothing to increase security.

>
>   It would help to describe those requirements.

That's all they gave me: "does freeradius support key-wrap?" And from
that I'm pretty sure they're referring to the use of a keywrap to
encapsulate the transmission of keys. And you've answered that
Freeradius doesn't do it, nor does it need to.




-- 
---
Michael Martinez
http://www.michael--martinez.com


More information about the Freeradius-Users mailing list