Re: secure ID token based authentication

["Ben Nagy" <ben () iagu net>]

This is the one I'm most familiar with:
http://www.untruth.org/~josh/security/radius/radius-auth.html

(if anyone knows of newer work, could they let me know?)

Based on the above analysis, I suspect that almost all of the attacks are
mitigated by the fact that the SecureID token generates one-time, time
limited authenticators. For analysis on the general security of SecureID,
ignoring the RADIUS component, there was quite a good thread on here a while
ago.

The main remaining problems would be based on an attack on the shared
secret, allowing the RADIUS transation to be MitM'ed. This would require
sniffing access to the channel between the RADIUS server and the device
asking to authenticate someone, and an active MitM would require write
access to the same channel, as per any such attack. Given that the access
you would need to pull off this attck is considerable, it seems that if
someone can mount it then you already have problems.

So, my gut feel (this is not a "considered evaluation" of the solution) is
that if you pick good shared secrets (do not use "secret" or "radius") and
consider the security of the channel between your client devices (as in
RADIUS clients, not end-users)  and the RADIUS server then you should be
reasonably OK. You certainly have a much stronger situation than using fixed
user passwords, of whatever length, which is the main thing.

Cheers,

ben

----- Original Message -----
From: "Luca Berra" <bluca () comedia it>
[...]
> i'd also search the archives for bugtraq since one (or two?) years ago
> someone posted a paper on the (in)security of such things (replay
> attacks basically iirc)
>
> L.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards