Hi Steven,
I believe you are referring to this AA document link
(https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/advanced-authentication/9-1/administrating/administrating-ca-strong-authentication/managing-global-ca-strong-authentication-configurations/configuring-ca-strong-authentication-for-radius.html) and the statement indicates like such:
"The minimum length of key is 1 and the maximum is 512 characters."
This would be an enhancement request What makes the minimum length restriction to a magic min length number of 8 makes it less prone to a attack.
At a start I will file a enhancement request at this point and share the link to that enhancement request here. I do see your point that permutations that one would have to deal with be much larger at min length of 8.
Kind Regards,
Girish
Original Message:
Sent: 09-03-2019 11:02 AM
From: Steven Wong
Subject: Broadcom AA Admin Portal Share Key Minimum Length Restriction for Security
Dear SMEs,
To configure Radius Client in CA AA, the Admin portal will need to be configured with a Shared Key. Currently, this Shared Key minimum length is 1 while the maximum length is 1024 as per Broadcom AA documentation. However, our Customer wants the minimum length to be 8 characters as per their security policy. The customer requires AA product to perform a minimum length validation that should not allow to configure Shared Key lesser than 8 digits length.
Can we make minimum length configurable and Broadcom AA admin portal reject Radius client configuration if the minimum length check fails? Would it also be feasible to have the Shared Key MASKED so that it cannot be read by other users?
Please advise and thanks.
Regards,
Steven