[RFC] [PATCHv6] Use radius supplied PSK / Passphrase for WPA-PSK

Alan DeKok aland at deployingradius.com
Mon Dec 5 15:32:12 EST 2011


michael-dev at fami-braun.de wrote:


> to the dictionary file and make sure that either Hostapd-Passphrase or Hostapd-PSK (the latter has higher priority) is in the radius reply.
> The PSK should be supplied hex encoded, the passphrase is turned into a psk by hostapd.

  This design is insecure, and should not be used by anyone.

  1) The RADIUS protocol contains methods for securely transporting
keys.  See the RFC 2868 Tunnel-Password encryption method.  Sending keys
in the clear is a *disaster*

  2) the RADIUS protocol contains methods for transporting binary data.
 See the "octets" type in FreeRADIUS.  Using hex encoded strings is
inefficient and unnecessary.

  I recommend *no one* deploy this patch *anywhere* until at least item
(1) is fixed.

  Alan DeKok.


More information about the HostAP mailing list