[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: BillMax questions -- Plaintext Password

To: Anthony Fleisher <fleisher@mind.net>
Subject: RE: BillMax questions -- Plaintext Password
From: Charlie Watts <cewatts@frontier.net>
Date: Mon, 12 Aug 2002 22:03:31 -0600 (MDT)
Cc: Brad <brad@americanisp.net>, "Internet Partners Inc. Support" <support@IPINC.NET>, Scott Rothgaber <scott@easley.net>, "questions@billmax.com" <questions@billmax.com>
In-Reply-To: <20020812123046.Q86547-100000@takhus.mind.net>
Sender: owner-questions@billmax.com

On Mon, 12 Aug 2002, Anthony Fleisher wrote:

> On Mon, 12 Aug 2002, Brad wrote:
>
> >
> > If on the off-chance that someone climbs a telephone pole,
> > cracks out a modem line with their high-tech equipment, and
> > sniffs the password- you dont have a big problem because you
> > have only lost one username/password for all of that
> > trouble.  On the other hand- if someone went through the
> > same ammount of trouble to break in to your RADIUS server
> > and look at the plaintext passwords for CHAP- THEN you have
> > a really big problem because you've lost *all* of your
> > usernames and passwords.
> >
> > Neither are perfect solutions, but PAP is statistically more
> > secure.
> >
>
> Note also that, for PAP, the username/password is passed in the clear
> over the network connection from the NAS (and/or Radius Proxy) to the
> Radius server and therefore available for sniffing along the way; as
> mentioned earlier, Radius packets are not encrypted.

Uh.

Hi, Tony. :-)

But ... no, actually.

In PAP, the username and password are passed in clear-text between the
ends of the PPP connection (NAS and dial-up user, typically). And as
mentioned, that's the least-likely-to-be-sniffed portion of a dial-up
connection.

But the password is encrypted (MD5, using the radius shared secret) when
sent between the NAS and radius server.

Radius w/ PAP does have some known problems, but it *is* encrypted.

RFC 2865, section 2.3:
   2. The forwarding server encrypts the User-Password, if present,
      using the secret it shares with the remote server, sets the
      Identifier as needed, and forwards the access-request to the
      remote server.

> I think that traffic sniffers may be a more significat issue (in some
> circumstances) than either of the two methods you describe above.

It isn't sent in clear-text across the wire between NAS and Radius server.
(Unlike POP, for instance ...)

If you control your network all the way to the NAS, (or can run secure
tunnels to the NAS) I think PAP is the better choice. If you have to trust
a "middleman" (third-party dialup provider) CHAP is possibly a better
idea.

-- 
Charlie Watts
cewatts@frontier.net

-----------------------------------------------------------------------------
To unsubscribe from the "BillMax Questions" mailing list, please
send a message to "majordomo@billmax.com" with "unsubscribe questions"
in the message body. The message must be sent from the exact email
address on the list.

Follow-Ups:
- RE: BillMax questions -- Plaintext Password
  - From: Anthony Fleisher <fleisher@mind.net>
- RE: BillMax questions -- Plaintext Password
  - From: Jeff LaCoursiere <jeff@jeff.net>

References:
- RE: BillMax questions -- Plaintext Password
  - From: Anthony Fleisher <fleisher@mind.net>

Prev by Date: RE: BillMax questions -- Plaintext Password
Next by Date: RE: BillMax questions -- Plaintext Password
Prev by thread: RE: BillMax questions -- Plaintext Password
Next by thread: RE: BillMax questions -- Plaintext Password
Index(es):
- Date
- Thread