[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: New XAUTH draft
Paul Koning wrote:
>
> To put it differently, can you describe an attack that demonstrates
> your assertion? Say that you and I are both using XAUTH to
> authenticate with a central site, using a preshared key common to the
> three of us. Can you demonstrate an attack that allows you to
> impersonate me, resulting in IPSec SAs to your box that appear to be
> bound to my identity? If so, then I would agree to your assertion.
> But if not, it seems to me your assertion is either invalid or not
> useful, and XAUTH is then shown to provide an additional service.
>
Hmmm... how about if I capture your session and mount an offline
known-plaintext analysis using the following from the exchange:
IPSec Host Edge Device
-------------- -----------------
<-- REQUEST(TYPE=RADIUS NAME="" PASSWORD="")
REPLY(TYPE=RADIUS NAME="joe" PASSWORD="foobar") -->
Now, I know your password, and I know the preshared key. I can
impersonate you.
Follow-Ups:
References: