[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New XAUTH draft

>>>>> "Scott" == Scott G Kelly <skelly@redcreek.com> writes:

> Hmmm... how about if I capture your session and mount an offline
> known-plaintext analysis using the following from the exchange:
>   IPSec Host                                              Edge Device
>   --------------                                    -----------------
>                          <-- REQUEST(TYPE=RADIUS NAME="" PASSWORD="")
>   REPLY(TYPE=RADIUS NAME="joe" PASSWORD="foobar") -->
> Now, I know your password, and I know the preshared key. I can
> impersonate you.

The XAUTH exchange is encrypted under the IKE SA key, right?  So no,
you can't do this because you don't know that key, unless you're in
the middle as Dan and Tamir suggested.  Listening isn't sufficient.