[RFC] [PATCHv6] Use radius supplied PSK / Passphrase for WPA-PSK

Alan DeKok aland
Mon Dec 5 12:32:12 PST 2011

michael-dev at fami-braun.de wrote:

> to the dictionary file and make sure that either Hostapd-Passphrase or Hostapd-PSK (the latter has higher priority) is in the radius reply.
> The PSK should be supplied hex encoded, the passphrase is turned into a psk by hostapd.

  This design is insecure, and should not be used by anyone.

  1) The RADIUS protocol contains methods for securely transporting
keys.  See the RFC 2868 Tunnel-Password encryption method.  Sending keys
in the clear is a *disaster*

  2) the RADIUS protocol contains methods for transporting binary data.
 See the "octets" type in FreeRADIUS.  Using hex encoded strings is
inefficient and unnecessary.

  I recommend *no one* deploy this patch *anywhere* until at least item
(1) is fixed.

  Alan DeKok.

More information about the Hostap mailing list