Date: Thu, 22 Apr 1999 03:25:45 +0200 From: Stefan Bethke <stefan.bethke@hanse.de> To: Martin Husemann <martin@rumolt.teuto.de> Cc: David Wetzel <dave@turbocat.de>, freebsd-isdn@FreeBSD.ORG Subject: Re: PAP vs. CHAP (was: sppp?) Message-ID: <572665.3133740345@monster.transit-a.hanse.de> In-Reply-To: <199904212157.XAA09499@rumolt.teuto.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--On Mit, 21. Apr 1999 23:57 Uhr +0200 Martin Husemann <martin@rumolt.teuto.de> wrote: > (Of course Cisco's can also do PAP, if you insist on being stupid...) PAP vs. CHAP is not an issue of stupidy, but rather one of where you want to have the window of opportunity on the side of a potential attacker, given two inadequate authentication methods. CHAP transmits the key encrypted over the line, but requires the side requesting authentication to have the clear text key stored somewhere. PAP transmits the key in clear text, but allows the side requesting authentication to have the key stored encryped. Unless you have the CHAP in a secured hardware module (instead of using software and the key stored in the file system), a break-in will reveal the key. On the other hand, snooping on an Uk0 or equivalent to extract the PAP password requires just some thousand dollars for the equipment and the opportunity to tap the line (despite what Deutsche Telekom claims, it is mostly trivial to get to the wires in or near the premises). In some instances, PAP can be better suited, especially if you consider that at most ISPs, authentication is handled by some server, and not the access router itself, and the secret might be shared between the PPP dial-in and other systems (e. g. POP3, shell account). Stefan -- Stefan Bethke Muehlendamm 12 Phone: +49-40-256848, +49-177-3504009 D-22087 Hamburg <stefan.bethke@hanse.de> Hamburg, Germany <stb@freebsd.org> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isdn" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?572665.3133740345>