Re: New XAUTH draft

["Scott G. Kelly" <skelly@redcreek.com>]

Paul Koning wrote:
> 
> To put it differently, can you describe an attack that demonstrates
> your assertion?  Say that you and I are both using XAUTH to
> authenticate with a central site, using a preshared key common to the
> three of us.  Can you demonstrate an attack that allows you to
> impersonate me, resulting in IPSec SAs to your box that appear to be
> bound to my identity?  If so, then I would agree to your assertion.
> But if not, it seems to me your assertion is either invalid or not
> useful, and XAUTH is then shown to provide an additional service.
> 

Hmmm... how about if I capture your session and mount an offline
known-plaintext analysis using the following from the exchange:

   IPSec Host                                              Edge Device
   --------------                                    -----------------
                          <-- REQUEST(TYPE=RADIUS NAME="" PASSWORD="")
   REPLY(TYPE=RADIUS NAME="joe" PASSWORD="foobar") -->

Now, I know your password, and I know the preshared key. I can
impersonate you.

---

Follow-Ups:

• Re: New XAUTH draft
• From: Paul Koning <pkoning@xedia.com>

References:

• RE: New XAUTH draft
• From: "Waters, Stephen" <Stephen.Waters@cabletron.com>
• Re: New XAUTH draft
• From: Dan Harkins <dharkins@network-alchemy.com>
• Re: New XAUTH draft
• From: Paul Koning <pkoning@xedia.com>

---

• Prev by Date: Re: New XAUTH draft
• Next by Date: Re: New XAUTH draft
• Prev by thread: Re: New XAUTH draft
• Next by thread: Re: New XAUTH draft
• Index(es):
  • Main
  • Thread