Re: [saag] RADIUS is deprecating MD5
Paul Hoffman <paul.hoffman@vpnc.org> Sun, 31 March 2024 20:10 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73790C14F707 for <saag@ietfa.amsl.com>; Sun, 31 Mar 2024 13:10:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FhbE_Ooq4ES2 for <saag@ietfa.amsl.com>; Sun, 31 Mar 2024 13:09:55 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E40BAC14F701 for <saag@ietf.org>; Sun, 31 Mar 2024 13:09:55 -0700 (PDT)
Received: from [10.32.60.247] (76-209-242-70.lightspeed.mtryca.sbcglobal.net [76.209.242.70]) (authenticated bits=0) by mail.proper.com (8.15.2/8.15.2) with ESMTPSA id 42VK9o4n004970 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 31 Mar 2024 13:09:51 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 76-209-242-70.lightspeed.mtryca.sbcglobal.net [76.209.242.70] claimed to be [10.32.60.247]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: Alan DeKok <aland@deployingradius.com>
Cc: saag@ietf.org
Date: Sun, 31 Mar 2024 13:09:49 -0700
X-Mailer: MailMate (1.14r5937)
Message-ID: <4FDDB8C1-D3F3-4B4F-977B-A04EB0DF7C07@vpnc.org>
In-Reply-To: <21309D5A-E824-42C7-8BAB-366AD568E9F4@deployingradius.com>
References: <755BC73B-B981-4986-B45A-E9796DCC66BC@deployingradius.com> <ME0P300MB0713122730DC9574730AC816EE382@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <Zgl6ejdpJNOyUja0@chardros.imrryr.org> <E1B4CCB5-202F-4087-8B56-9E7F3D73D1D0@deployingradius.com> <ZgmDLfNxV2RKSA5o@chardros.imrryr.org> <21309D5A-E824-42C7-8BAB-366AD568E9F4@deployingradius.com>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/NBZsyvSdb5by1zLRTFQh30jae5Y>
Subject: Re: [saag] RADIUS is deprecating MD5
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2024 20:10:01 -0000
On 31 Mar 2024, at 8:55, Alan DeKok wrote: > We know that MD5 is insecure. ...against collision attacks, only. > We know that many Access-Request packets lack all integrity checks. I've been trying to fix this issue since 2005 or so. > > Why can't we just say "yes, 1993-era protocols are bad. Wrap them in TLS. Move on". We can. Just don't wrap it in "MD5 is bad" if you're using MD5 for preimage resistance. Wrap it in "not using TLS is bad" instead. --Paul Hoffman
- [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
- Re: [saag] RADIUS is deprecating MD5 Bernard Aboba
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Viktor Dukhovni
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Viktor Dukhovni
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Viktor Dukhovni
- Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Viktor Dukhovni
- Re: [saag] RADIUS is deprecating MD5 Eliot Lear
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Paul Hoffman
- Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
- Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Bernard Aboba
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
- Re: [saag] RADIUS is deprecating MD5 Paul Wouters
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok