[vpn] Benchmark on User Authentication

Kent Dallas kent at dalliesin.com
Mon Feb 11 16:07:13 EST 2002


Correct.  And if you utilize group pre-shared secrets instead of digital
certificates for the second credential, over time, the security of your
system is reduced to the strength of the single username/password.

I leave the judgement to others if that constitutes "bad security design".

IMHO, it depends alot on what you are trying to protect, because there is
not doubt that it is easier to manage.  It does go to show the value of
additional focus on helping users select strong passwords to begin with,
however.

Kent Dallas

-----Original Message-----
From: Mark Osborne [mailto:mark.osborne at awhc.com]
Sent: Monday, February 11, 2002 1:43 PM
To: 'Tina Bird'; Chris Lynch
Cc: vpn at securityfocus.com
Subject: RE: [vpn] Benchmark on User Authentication


The authentication method consists of 2 credentials. Client Id and shared
secret. All users have unique Client ID's but they do have the same shared
secret for ease of administration.    Comments please

Mark


-----Original Message-----
From: Tina Bird [mailto:tbird at precision-guesswork.com]
Sent: Monday, February 11, 2002 11:09 AM
To: Chris Lynch
Cc: mark.osborne at awhc.com; vpn at securityfocus.com
Subject: Re: [vpn] Benchmark on User Authentication


Doesn't that basically mean that all the remote users
would be indistinguishable?  If they all have the same
shared secret, then you can't tell which user is
signed on at any given time, can you?  That sounds
like a bad security design to me.

tbird

On Mon, 11 Feb 2002, Chris Lynch wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Yes you can.  The Shared Secret is typically encrypted with the
> username's hased password.  With the Raptor Mobile, you can assign
> multiple users to one shared secret.  I don't know where exactly this
> would be set, but I know that you can.
>
> Hope that helps.
>
> Chris Lynch
> lynch00 at speakeasy.net
>
> - ----- Original Message -----
> From: <mark.osborne at awhc.com>
> To: <vpn at securityfocus.com>
> Sent: Wednesday, February 06, 2002 6:02 AM
> Subject: Re: [vpn] Benchmark on User Authentication
>
>
> >
> > In-Reply-To: <F235zAUor03u9PH3IhA00011519 at hotmail.com>
> >
> > Jeremy, I am looking for something to this nature
> > myself. I would like to find out if multiple users can
> > use the same shared secret when connecting
> > remotley via VPN. We are using Raptor Mobile.
> > Where could I find info on this?
> >
> > VPN is sponsored by SecurityFocus.com
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.1
>
> iQA/AwUBPGgLCfl56xfvzmMfEQKq8QCgg/dDsom82jtFOIimOe/y8Ff49+kAoJ/B
> 67KAPs+Xh6dGk6uhpAm9BKXC
> =9TSG
> -----END PGP SIGNATURE-----
>
>
>
> VPN is sponsored by SecurityFocus.com
>

VPN is sponsored by SecurityFocus.com



VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list