[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Black-box EKE (was Re: IPSRA and "legacy systems")



--On Monday, 20 March, 2000 19:31 +0200 Sara Bitan <sarab@xxxxxxxxxxxx> wrote:

Also, in one of your e-mail you've said

"Anyway, it's already been established that IPSRA users can, if they
want to, use legacy credentials and mechanisms, with a completely intact
legacy infrastructure, with clear text or weakly hidden passwords
flowing freely between various legacy components. "

Once again, a quote from the requirements draft:
    " o user authentication information must be protected against
       eavesdropping and replay (including the user identity)"

This can and is indeed achieved by the two proposed protocols.

At least in the case of RADIUS, this is only true if the RADIUS messages are run over a protected channel. The username is sent in clear text, and there are arguments over how well protected the password is in the case where one isn't using a challenge-response mechanism (by protected I mean both privacy and resistance to replay).

-paul