Firewall Wizards mailing list archives
Re: secure ID token based authentication
From: "Ben Nagy" <ben () iagu net>
Date: Mon, 27 Jan 2003 11:34:49 +0100
This is the one I'm most familiar with: http://www.untruth.org/~josh/security/radius/radius-auth.html (if anyone knows of newer work, could they let me know?) Based on the above analysis, I suspect that almost all of the attacks are mitigated by the fact that the SecureID token generates one-time, time limited authenticators. For analysis on the general security of SecureID, ignoring the RADIUS component, there was quite a good thread on here a while ago. The main remaining problems would be based on an attack on the shared secret, allowing the RADIUS transation to be MitM'ed. This would require sniffing access to the channel between the RADIUS server and the device asking to authenticate someone, and an active MitM would require write access to the same channel, as per any such attack. Given that the access you would need to pull off this attck is considerable, it seems that if someone can mount it then you already have problems. So, my gut feel (this is not a "considered evaluation" of the solution) is that if you pick good shared secrets (do not use "secret" or "radius") and consider the security of the channel between your client devices (as in RADIUS clients, not end-users) and the RADIUS server then you should be reasonably OK. You certainly have a much stronger situation than using fixed user passwords, of whatever length, which is the main thing. Cheers, ben ----- Original Message ----- From: "Luca Berra" <bluca () comedia it> [...]
i'd also search the archives for bugtraq since one (or two?) years ago someone posted a paper on the (in)security of such things (replay attacks basically iirc) L.
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- secure ID token based authentication Prashant Desai (Jan 25)
- Re: secure ID token based authentication Paul D. Robertson (Jan 25)
- Re: secure ID token based authentication Paul D. Robertson (Jan 25)
- Re: secure ID token based authentication John Keeton (Jan 26)
- Re: secure ID token based authentication ark (Jan 27)
- Re: secure ID token based authentication Mike Scher (Jan 27)
- Re: secure ID token based authentication Luca Berra (Jan 26)
- Message not available
- Re: secure ID token based authentication Luca Berra (Jan 27)
- Re: secure ID token based authentication Ben Nagy (Jan 28)
- Re: secure ID token based authentication ark (Jan 29)
- Message not available
- Re: secure ID token based authentication Paul D. Robertson (Jan 25)
- Re: secure ID token based authentication Ben Nagy (Jan 27)
- <Possible follow-ups>
- Re: secure ID token based authentication Miha Vitorovic (Jan 27)
- RE: secure ID token based authentication Kalat, Andrew (ISS Atlanta) (Jan 27)
- RE: secure ID token based authentication Prashant Desai (Jan 28)
- RE: secure ID token based authentication Reckhard, Tobias (Jan 28)