Sniffing PAP/CHAP
Charles Lindsey
Charles Lindsey <chl at clw.cs.man.ac.uk>
Fri, 2 Jun 2000 11:18:53 +0100 (BST)
> Date: Thu, 1 Jun 2000 21:03:26 +0100
> To: ukcrypto@maillist.ox.ac.uk
> From: Roland Perry <roland@linx.net>
> Subject: Sniffing PAP/CHAP
>
> A posting on uk.telecom has reminded me about PAP/CHAP authentication,
> where unless I am mistaken the username and password are exchanged over
> the network in encrypted form. How then will a passive interception
> system "sniff" the necessary information form the RADIUS server sessions
> to identify the suspect's session ?
Neither PAP nor CHAP involves encryption. In both cases the username is
sent in the clear. With PAP the passwrod is sent in the clear too (just
like dear old telnet and rlogin). With CHAP the authentication is done
by a challenge/response, thus preventing a replay attack.
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Email: chl@clw.cs.man.ac.uk Web: http://www.cs.man.ac.uk/~chl
Voice/Fax: +44 161 437 4506 Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5