[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: BillMax questions -- Plaintext Password

To: Charlie Watts <cewatts@frontier.net>
Subject: RE: BillMax questions -- Plaintext Password
From: Jeff LaCoursiere <jeff@jeff.net>
Date: Tue, 13 Aug 2002 04:15:29 -0500 (CDT)
cc: Anthony Fleisher <fleisher@mind.net>, Brad <brad@americanisp.net>, "Internet Partners Inc. Support" <support@IPINC.NET>, Scott Rothgaber <scott@easley.net>, "questions@billmax.com" <questions@billmax.com>
In-Reply-To: <Pine.OSX.4.44.0208122147180.489-100000@delerium.local>
Sender: owner-questions@billmax.com


Heh - I guess using the shared secret for encrypting the traffic between
the NAS and the radius server was not an original idea :)

j

On Mon, 12 Aug 2002, Charlie Watts wrote:

> On Mon, 12 Aug 2002, Anthony Fleisher wrote:
> 
> > On Mon, 12 Aug 2002, Brad wrote:
> >
> > >
> > > If on the off-chance that someone climbs a telephone pole,
> > > cracks out a modem line with their high-tech equipment, and
> > > sniffs the password- you dont have a big problem because you
> > > have only lost one username/password for all of that
> > > trouble.  On the other hand- if someone went through the
> > > same ammount of trouble to break in to your RADIUS server
> > > and look at the plaintext passwords for CHAP- THEN you have
> > > a really big problem because you've lost *all* of your
> > > usernames and passwords.
> > >
> > > Neither are perfect solutions, but PAP is statistically more
> > > secure.
> > >
> >
> > Note also that, for PAP, the username/password is passed in the clear
> > over the network connection from the NAS (and/or Radius Proxy) to the
> > Radius server and therefore available for sniffing along the way; as
> > mentioned earlier, Radius packets are not encrypted.
> 
> Uh.
> 
> Hi, Tony. :-)
> 
> But ... no, actually.
> 
> In PAP, the username and password are passed in clear-text between the
> ends of the PPP connection (NAS and dial-up user, typically). And as
> mentioned, that's the least-likely-to-be-sniffed portion of a dial-up
> connection.
> 
> But the password is encrypted (MD5, using the radius shared secret) when
> sent between the NAS and radius server.
> 
> Radius w/ PAP does have some known problems, but it *is* encrypted.
> 
> RFC 2865, section 2.3:
>    2. The forwarding server encrypts the User-Password, if present,
>       using the secret it shares with the remote server, sets the
>       Identifier as needed, and forwards the access-request to the
>       remote server.
> 
> > I think that traffic sniffers may be a more significat issue (in some
> > circumstances) than either of the two methods you describe above.
> 
> It isn't sent in clear-text across the wire between NAS and Radius server.
> (Unlike POP, for instance ...)
> 
> If you control your network all the way to the NAS, (or can run secure
> tunnels to the NAS) I think PAP is the better choice. If you have to trust
> a "middleman" (third-party dialup provider) CHAP is possibly a better
> idea.
> 
> -- 
> Charlie Watts
> cewatts@frontier.net
> 
> -----------------------------------------------------------------------------
> To unsubscribe from the "BillMax Questions" mailing list, please
> send a message to "majordomo@billmax.com" with "unsubscribe questions"
> in the message body. The message must be sent from the exact email
> address on the list.
> 

-----------------------------------------------------------------------------
To unsubscribe from the "BillMax Questions" mailing list, please
send a message to "majordomo@billmax.com" with "unsubscribe questions"
in the message body. The message must be sent from the exact email
address on the list.

References:
- RE: BillMax questions -- Plaintext Password
  - From: Charlie Watts <cewatts@frontier.net>

Prev by Date: RE: BillMax questions -- Plaintext Password
Next by Date: RE: BillMax questions -- Plaintext Password
Prev by thread: RE: BillMax questions -- Plaintext Password
Next by thread: RE: BillMax questions -- Plaintext Password
Index(es):
- Date
- Thread