[RFC] [PATCHv6] Use radius supplied PSK / Passphrase for WPA-PSK
Alan DeKok
aland
Mon Dec 5 12:32:12 PST 2011
michael-dev at fami-braun.de wrote:
> to the dictionary file and make sure that either Hostapd-Passphrase or Hostapd-PSK (the latter has higher priority) is in the radius reply.
> The PSK should be supplied hex encoded, the passphrase is turned into a psk by hostapd.
This design is insecure, and should not be used by anyone.
1) The RADIUS protocol contains methods for securely transporting
keys. See the RFC 2868 Tunnel-Password encryption method. Sending keys
in the clear is a *disaster*
2) the RADIUS protocol contains methods for transporting binary data.
See the "octets" type in FreeRADIUS. Using hex encoded strings is
inefficient and unnecessary.
I recommend *no one* deploy this patch *anywhere* until at least item
(1) is fixed.
Alan DeKok.
More information about the Hostap
mailing list