[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: New XAUTH draft
Yep, that'll do it.
If you don't use per-user pre-shared, and you care that your group members
could snoop on you (I don't think I do, they can do that much more easily by
sniffing my LAN data), then use a stronger xauth - CHAP/SecurID/other token
cards/OTP.
Cheers, Steve.
-----Original Message-----
From: Scott G. Kelly [mailto:skelly@redcreek.com]
Sent: Thursday, September 30, 1999 9:15 PM
To: Paul Koning
Cc: dharkins@network-alchemy.com; Stephen.Waters@cabletron.com;
Subject: Re: New XAUTH draft
Paul Koning wrote:
>
> To put it differently, can you describe an attack that demonstrates
> your assertion? Say that you and I are both using XAUTH to
> authenticate with a central site, using a preshared key common to the
> three of us. Can you demonstrate an attack that allows you to
> impersonate me, resulting in IPSec SAs to your box that appear to be
> bound to my identity? If so, then I would agree to your assertion.
> But if not, it seems to me your assertion is either invalid or not
> useful, and XAUTH is then shown to provide an additional service.
>
Hmmm... how about if I capture your session and mount an offline
known-plaintext analysis using the following from the exchange:
IPSec Host Edge Device
-------------- -----------------
<-- REQUEST(TYPE=RADIUS NAME="" PASSWORD="")
REPLY(TYPE=RADIUS NAME="joe" PASSWORD="foobar") -->
Now, I know your password, and I know the preshared key. I can
impersonate you.