Re: PKI and RADIUS

New Message	Reply	About this list	Date view	Thread view	Subject view	Author view

'Ge' Weijers' (ge@Progressive-Systems.Com)
Thu, 25 Feb 1999 09:30:29 -0500

Next message: by way of Vin McLellan: "Breaking RSA may not be equivalent to factoring (Fwd)"
Previous message: Thomas Roessler: "Re: SSL sans RSA"
In reply to: Ben Laurie: "Re: SSL sans RSA"

On Wed, Feb 24, 1999 at 02:47:44PM -0600, Bauer, Michael (C)(STP) wrote:
> I agree that storing the certificate/private-key on a hard drive is the weak
> piece of the picture. Still, in certain applications it might be an
> acceptable risk: for example, in a dial-up scenario, where your main
> concern is "random hackers from the void" rather than, say, untrusted
> insiders (consultants, like me ;-) with access to trusted users' machines,
> or corporate spies following users around in airports waiting for the
> opportunity to pilfer a laptop system. I'm talking about Joe Businessman,
> here, not government/military users.

Business espionage is at an all-time high :-)

If you allow users to choose their own passwords they will invariably
choose weak ones. If you force strong passwords on they you will
forever have to reset passwords because they forget them.

One approach is to live with the weak passwords. Some systems exist
that allow online-only authentication with a password (see for instance
http://srp.stanford.edu/ ). The advantage of these systems is that
offline attack is impossible (unless the client is modified).

The best software-only approach would combine a password with a
software 'token' file, and it would not allow any off-line attacks,
i.e. any verification will have to be done online, where you can lock
out a user after so many failed attempts.

The only reason I can see for PK crypto is to limit the exposure of
the user's secret in case the server is compromised. The server only
needs to store the public key, and this key can't be used to
compromise other systems.

There's definitely a market niche for strong, low-maintenance network
security/VPN solutions targetting small-to-medium size businesses.

Ge'

-- 
-
Ge' Weijers                                Voice: (614)326 4600
Progressive Systems, Inc.                    FAX: (614)326 4601
2000 West Henderson Rd. Suite 400, Columbus OH 43220

Next message: by way of Vin McLellan: "Breaking RSA may not be equivalent to factoring (Fwd)"
Previous message: Thomas Roessler: "Re: SSL sans RSA"
In reply to: Ben Laurie: "Re: SSL sans RSA"

New Message	Reply	About this list	Date view	Thread view	Subject view	Author view

All trademarks and copyrights are the property of their respective owners.
Other Directory Sites: SeekWonder | Directory Owners Forum

The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:28