Sniffing PAP/CHAP

Fri, 02 Jun 2000 12:52:45 +0100

>Neither PAP nor CHAP involves encryption. 

Um...

>In both cases the username is
>sent in the clear. With PAP the passwrod is sent in the clear too (just
>like dear old telnet and rlogin). With CHAP the authentication is done
>by a challenge/response, thus preventing a replay attack.

Charles is correct, although with one slight twist:

* PAP: Password Authentication Protocol.  
  User is authenticated by a username/password sent blithely in cleartext.

  http://www.faqs.org/rfcs/rfc1334.html

* CHAP: Challenge Handshake Authentication Protocol
  User is authenticated by a challenge being presented, him returning
  a cryptographically-strong digest of ("challenge" + "sharedsecret")
  - this may be run bidirectionally.

  http://www.faqs.org/rfcs/rfc1994.html

...with CHAP, the hash/digest algorithm used is MD5, which is one of those 
dangerous algorithm names that imply "involving encryption" to some people.

	- alec  8-)

-- 
             alec muffett - 16516 110 - alec.muffett @ uk.sun.com
                             better dead than smeg
  [opinions and statements cited herein are personal and may not be factual]