Re: Issue: draft-ietf-radext-digest-auth-06.txt Digest MD5-sess
Henrik Nordstrom <henrik@henriknordstrom.net> Thu, 29 December 2005 22:38 UTC
Envelope-to: radiusext-data@psg.com
Delivery-date: Thu, 29 Dec 2005 22:39:04 +0000
Date: Thu, 29 Dec 2005 23:38:48 +0100
From: Henrik Nordstrom <henrik@henriknordstrom.net>
To: radiusext@ops.ietf.org
Subject: Re: Issue: draft-ietf-radext-digest-auth-06.txt Digest MD5-sess
Message-ID: <Pine.LNX.4.61.0512292328370.13066@localhost.localdomain>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
On Thu, 29 Dec 2005, Alan DeKok wrote: > That's what cookies are for. See my "mod_auth_radius" for an > implementation that authenticates the user once, and uses a cookie for > the following HTTP sessions. The module isn't perfect (by any means), > but the general concept goes like this: > > Session1 : get authentication data from the user > pass to radius server > if access-accept > cookie = MD5(authentication data + secret + timestamp) + ... > > SessionN : get authentication data from the user > validate cookie > if cookie has expired or is invalid, re-auth the user > else let them in. I assume you are aware that Digest MD5-sess iss running circles around the above scheme in terms of security thanks to the replay protection provided by the nonce-count in the Digest protocol. The above proposed scheme can only be considered reasonably secure if combined with end-to-end transport security (i.e. https for encryption). Even if using a more secure hash than MD5 in your cookie is taken into account. > I would very, very, much recommend against pushing authentication > data to the client without a detailed security review of the > implications. Since there are pre-existing methods for implementing > what you want without changing RADIUS, I would recommend against > changing RADIUS. I can do what I want with the proposed radius digest draft already, just has to bend the RADIUS exchanges slightly as explained a few minutes ago. The proposed changes is only to allow this to be done without lying to the RADIUS server, and only as an optional feature. Regards Henrik -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/radiusext/>
- Re: Issue: draft-ietf-radext-digest-auth-06.txt D… Alan DeKok
- Re: Issue: draft-ietf-radext-digest-auth-06.txt D… Henrik Nordstrom
- Re: Issue: draft-ietf-radext-digest-auth-06.txt D… Alan DeKok
- Re: Issue: draft-ietf-radext-digest-auth-06.txt D… Henrik Nordstrom
- Re: Issue: draft-ietf-radext-digest-auth-06.txt D… Henrik Nordstrom
- Re: Issue: draft-ietf-radext-digest-auth-06.txt D… Jo Hermans
- Re: Issue: draft-ietf-radext-digest-auth-06.txt D… Alan DeKok
- Issue: draft-ietf-radext-digest-auth-06.txt Diges… Bernard Aboba
- RE: Issue: draft-ietf-radext-digest-auth-06.txt D… Avi Lior