[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: BillMax questions -- Plaintext Password

To: Charlie Watts <cewatts@frontier.net>
Subject: RE: BillMax questions -- Plaintext Password
From: Anthony Fleisher <fleisher@mind.net>
Date: Tue, 13 Aug 2002 10:24:06 -0700 (PDT)
cc: Brad <brad@americanisp.net>, "Internet Partners Inc. Support" <support@IPINC.NET>, Scott Rothgaber <scott@easley.net>, "questions@billmax.com" <questions@billmax.com>
In-Reply-To: <Pine.OSX.4.44.0208122147180.489-100000@delerium.local>
Sender: owner-questions@billmax.com

On Mon, 12 Aug 2002, Charlie Watts wrote:

> On Mon, 12 Aug 2002, Anthony Fleisher wrote:
>
> > On Mon, 12 Aug 2002, Brad wrote:
> >
> > >
> > > If on the off-chance that someone climbs a telephone pole,
> > > cracks out a modem line with their high-tech equipment, and
> > > sniffs the password- you dont have a big problem because you
> > > have only lost one username/password for all of that
> > > trouble.  On the other hand- if someone went through the
> > > same ammount of trouble to break in to your RADIUS server
> > > and look at the plaintext passwords for CHAP- THEN you have
> > > a really big problem because you've lost *all* of your
> > > usernames and passwords.
> > >
> > > Neither are perfect solutions, but PAP is statistically more
> > > secure.
> > >
> >
> > Note also that, for PAP, the username/password is passed in the clear
> > over the network connection from the NAS (and/or Radius Proxy) to the
> > Radius server and therefore available for sniffing along the way; as
> > mentioned earlier, Radius packets are not encrypted.
>
> Uh.
>
> Hi, Tony. :-)
>
> But ... no, actually.
>
> In PAP, the username and password are passed in clear-text between the
> ends of the PPP connection (NAS and dial-up user, typically). And as
> mentioned, that's the least-likely-to-be-sniffed portion of a dial-up
> connection.
>
> But the password is encrypted (MD5, using the radius shared secret) when
> sent between the NAS and radius server.
>
> Radius w/ PAP does have some known problems, but it *is* encrypted.
>

Ugh! Yeah, my appologies for the misinformation. I was confusing two
different things; I should know better than to go from memory on things
like this without checking the specs. The packets themselves are not
encrypted, and can be sniffed, but that does *not* expose the password
itself.

Thanks for setting this straight.

TOny.

-- 
Anthony Fleisher	 <fleisher@mind.net>
Network Administrator
Internet Ventures Oregon

InfoStructure
Ashland, Oregon
Voice: (541)482-8324  Fax: (541)488-7599

-----------------------------------------------------------------------------
To unsubscribe from the "BillMax Questions" mailing list, please
send a message to "majordomo@billmax.com" with "unsubscribe questions"
in the message body. The message must be sent from the exact email
address on the list.

References:
- RE: BillMax questions -- Plaintext Password
  - From: Charlie Watts <cewatts@frontier.net>

Prev by Date: RE: BillMax questions -- Plaintext Password
Next by Date: BillMax questions -- SQL report to show closed services with usernames?
Prev by thread: RE: BillMax questions -- Plaintext Password
Next by thread: BillMax questions -- Users and username/passwords
Index(es):
- Date
- Thread