[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: RE2: Do ipsec vendors care about privacy?
[SNIP]
I've just received feed-back from an EAP people:
[COPY&PASTE BEGIN]
For MD5-challenge, it's possible if the identity is passed together with
the response/md5 (inside the encapsulating RADIUS message for instance)
or is determined from the response-message itself (source-ip-address,
caller-id, whatever, ...). Or if you would use always the same identity
somehow.
All that the MD5-response proves, is that the peer is in possesion of
the correct secret for that identity (user-password for instance), so
you can calculate the correct response. The Authenticator would have to
check that, and needs an identity, but it doesn't matter when it's
passed to the authenticator.
Other authentication-mehtods might be different though.
--
Jo Hermans
[COPY&PASTE END]
With CHAP (Or MD5-CHALLENGE) Hugo's proposal will work, however with OTP
and maybe with GTC I think that the responder needs to know the
Iniziator ID prior to send the OTP challenge.
--
------------------------------------------------
Antonio Forzieri
CEFRIEL - Politecnico di Milano
Tesista Area E-Service Tecnologies
Tel: 02-23954.334 - email: forzieri@cefriel.it
ICQ# 177683894
------------------------------------------------