(RADIATOR) CHAP

Ingvar Berg (EIP) Ingvar.Berg at eip.ericsson.se
Fri May 18 02:43:39 CDT 2001 

> -----Original Message-----
> From: Mariano Absatz [mailto:lradius at pert.com.ar]
> Sent: den 16 maj 2001 16:13
> To: Ingvar Berg (EIP)
> Cc: Radiator List
> Subject: RE: (RADIATOR) CHAP
> 
> 
> El 16 May 2001, a las 9:08, Ingvar Berg (EIP) escribió:
> 
> > Or rather: you have to be able to decrypt them in Radiator, before
> > using them. I'm not sure if you can do this with a hook, or if you
> > need to hack the basic code in Radiator (i.e. persuade Mike 
> or Hugh to
> > do some fun coding...) 
> or DIY :-)... but the point here is that most of the 
> encryption schemes 
> used for storing passwords are one way hash fucntions (one 
> way beeing the 
> key point here).

=> You need to have control over this as well!
> 
> You can't (without a considerable computational effort far beyond an 
> authentication server) get the original password from the 
> encrypted one.
> 
> If you were to use a two way encryption scheme, it would have 
> to encrypt 
> and decrypt with the same key (if it uses a symmetric 
> algorithm like DES, 
> DES3, or the like) or encrypt with one key and decrypt with 
> another, both 
> generated as a pair (conventionally, one is supposed to be 
> public and the 
> other private).

There are several good symmetrical encryption algorithms, yepp.
> 
> The point is that this way, you should put the (master) 
> decryption key 
> "open" in the radiator config file, so you just moved the 
> weak point to 
> another place.

You could keep the key inside your crypto-accelerator box
> 
> Now, if you, for instance, keep the passwords in a public 
> open database 

You should restrict access to it as much as possible anyway, of course.

/Ingvar

> (or LDAP tree or whatever) where anyone can see it and you 
> can keep you 
> radiator configuration file really secure (i.e. mode 400 root owned 
> inside a mode 500 root owned directory and a really controlled set of 
> trustable people knowing the root password), you (or Mike) 
> could do it.
> 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list