From owner-freebsd-isdn Wed Apr 21 18:22:26 1999 Delivered-To: freebsd-isdn@freebsd.org Received: from kogge.Hanse.DE (kogge.hanse.de [192.76.134.17]) by hub.freebsd.org (Postfix) with ESMTP id 57BA915558 for ; Wed, 21 Apr 1999 18:22:12 -0700 (PDT) (envelope-from stefan.bethke@hanse.de) Received: from transit.hanse.de (transit-a.Hanse.DE [193.174.9.161]) by kogge.Hanse.DE (8.9.1/8.9.1) with ESMTP id DAA94426; Thu, 22 Apr 1999 03:19:43 +0200 (CEST) (envelope-from stefan.bethke@hanse.de) Received: from monster.transit-a.hanse.de (monster [193.174.9.163]) by transit.hanse.de (8.8.8/8.8.8) with ESMTP id DAA07513; Thu, 22 Apr 1999 03:19:40 +0200 (CEST) (envelope-from stefan.bethke@hanse.de) Date: Thu, 22 Apr 1999 03:25:45 +0200 From: Stefan Bethke To: Martin Husemann Cc: David Wetzel , freebsd-isdn@FreeBSD.ORG Subject: Re: PAP vs. CHAP (was: sppp?) Message-ID: <572665.3133740345@monster.transit-a.hanse.de> In-Reply-To: <199904212157.XAA09499@rumolt.teuto.de> Originator-Info: login-id=stb; server=transit.transit-a.hanse.de X-Mailer: Mulberry (MacOS) [1.4.0, s/n U-301178] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-isdn@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --On Mit, 21. Apr 1999 23:57 Uhr +0200 Martin Husemann wrote: > (Of course Cisco's can also do PAP, if you insist on being stupid...) PAP vs. CHAP is not an issue of stupidy, but rather one of where you want to have the window of opportunity on the side of a potential attacker, given two inadequate authentication methods. CHAP transmits the key encrypted over the line, but requires the side requesting authentication to have the clear text key stored somewhere. PAP transmits the key in clear text, but allows the side requesting authentication to have the key stored encryped. Unless you have the CHAP in a secured hardware module (instead of using software and the key stored in the file system), a break-in will reveal the key. On the other hand, snooping on an Uk0 or equivalent to extract the PAP password requires just some thousand dollars for the equipment and the opportunity to tap the line (despite what Deutsche Telekom claims, it is mostly trivial to get to the wires in or near the premises). In some instances, PAP can be better suited, especially if you consider that at most ISPs, authentication is handled by some server, and not the access router itself, and the secret might be shared between the PPP dial-in and other systems (e. g. POP3, shell account). Stefan -- Stefan Bethke Muehlendamm 12 Phone: +49-40-256848, +49-177-3504009 D-22087 Hamburg Hamburg, Germany To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isdn" in the body of the message