Hi,
That table has a few more flaws.
EAP-MD5
--------------
- MD5 and Resistance to dictionary attacks. RFC3748 states "No", the
ITU document states "Yes".
- MD5 and replay protection. Ditto.
Further to these:
- why is Protection against the server compromise-based dictionary
attack marked as "not applicable" for EAP-MD5? To perform MD5 auth, the
server must be in possession of the user's clear text credential. If the
server is compromised, an attacker can gain access to the backend
password information. It seems to me that this criterion is very much
applicable, and should be a No.
Greetings,
Stefan Winter
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
