CHAP (Challege Handshake Authentication Protocol) - 04/09/03 05:36 AM
Ok. I was studying for Security+ and read about CHAP. It was a replacement for PAP b/c PAP sent passwords in plain-text.
So I have some questions about the actual level of security/benefits of CHAP.
First, here is how I understand CHAP works.
PROS:
Unlike PAP, password not sent in plain-text
Other methods send encrypted, but with CHAP the password isn't even sent encrypted, its a modified hash using challenge.
CONS:
Even though this prevents replay, what is the point of taking it a step further and using a challenge w/ password to create a hash. Doesn't this just mean rather than grabbing a single hash, the hacker must sniff hash/challenge.
Local storage of passwords must be in plain text to allow the ability to hash each session.
-+-+-+-+-+-+-+-+-+-+-+
How does this really provide any benefit over the normal method of sending an encrypted password? And isn't the plaintext storage a larger security risk then sending over an encrypted password like normally done?
-+-+-+-+-+-+-+-+-+-+-+
So I have some questions about the actual level of security/benefits of CHAP.
First, here is how I understand CHAP works.
- Client connects and logs in with username
- Server will find UID for username and then find the associated secret (password)
- Server then uses a challenge (string) and sends it to the client
- Client receives the challenge and encrypts it using the password entered by user
- This creates a hash which is then sent to the server
- Server uses the password stored at its location, and generates a hash also
- Server checks its hash w/ clients hash
- Match results in authentication success sent to client, or if no match, the authentication fails
PROS:
Unlike PAP, password not sent in plain-text
Other methods send encrypted, but with CHAP the password isn't even sent encrypted, its a modified hash using challenge.
CONS:
Even though this prevents replay, what is the point of taking it a step further and using a challenge w/ password to create a hash. Doesn't this just mean rather than grabbing a single hash, the hacker must sniff hash/challenge.
Local storage of passwords must be in plain text to allow the ability to hash each session.
-+-+-+-+-+-+-+-+-+-+-+
How does this really provide any benefit over the normal method of sending an encrypted password? And isn't the plaintext storage a larger security risk then sending over an encrypted password like normally done?
-+-+-+-+-+-+-+-+-+-+-+