Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 22 Apr 1999 03:25:45 +0200
From:      Stefan Bethke <stefan.bethke@hanse.de>
To:        Martin Husemann <martin@rumolt.teuto.de>
Cc:        David Wetzel <dave@turbocat.de>, freebsd-isdn@FreeBSD.ORG
Subject:   Re: PAP vs. CHAP (was: sppp?)
Message-ID:  <572665.3133740345@monster.transit-a.hanse.de>
In-Reply-To: <199904212157.XAA09499@rumolt.teuto.de>
next in thread | previous in thread | raw e-mail | index | archive | help 
--On Mit, 21. Apr 1999 23:57 Uhr +0200 Martin Husemann
<martin@rumolt.teuto.de> wrote:

> (Of course Cisco's can also do PAP, if you insist on being stupid...) 

PAP vs. CHAP is not an issue of stupidy, but rather one of where you want
to have the window of opportunity on the side of a potential attacker,
given two inadequate authentication methods.

CHAP transmits the key encrypted over the line, but requires the side
requesting authentication to have the clear text key stored somewhere.

PAP transmits the key in clear text, but allows the side requesting
authentication to have the key stored encryped.

Unless you have the CHAP in a secured hardware module (instead of using
software and the key stored in the file system), a break-in will reveal the
key.

On the other hand, snooping on an Uk0 or equivalent to extract the PAP
password requires just some thousand dollars for the equipment and the
opportunity to tap the line (despite what Deutsche Telekom claims, it is
mostly trivial to get to the wires in or near the premises).

In some instances, PAP can be better suited, especially if you consider
that at most ISPs, authentication is handled by some server, and not the
access router itself, and the secret might be shared between the PPP
dial-in and other systems (e. g. POP3, shell account).


Stefan

--
Stefan Bethke
Muehlendamm 12            Phone: +49-40-256848, +49-177-3504009
D-22087 Hamburg           <stefan.bethke@hanse.de>
Hamburg, Germany          <stb@freebsd.org>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isdn" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?572665.3133740345>