+ Reply to Thread
Results 1 to 5 of 5
  1. Senior Member /usr's Avatar
    Join Date
    Dec 2003
    Location
    West Virginia
    Posts
    1,776
    #1

    Default CHAP question, may sound dumb...

    This is taken from Tcat's full pdf.

    The server challenges client.
    The challenge message, ID, and secret (user's password) are hashed with MD5 and sent to the server.
    The server performs the same hash.

    It goes on to say CHAP doesn't send the password across the wire.
    If that's the case, how does the server ever get the correct hash value to authenticate the client, if the password is part of the hash sent by the client?

    Maybe I'm just overlooking the obvious...
    Reply With Quote Quote  

  2. SS -->
  3. Johan Hiemstra Forum Admin Webmaster's Avatar
    Join Date
    Jun 2002
    Location
    52n31, 6e06
    Posts
    10,383
    Blog Entries
    3

    Certifications
    MCSE NT4 MCSA 2000/2003 Security+ (expired: CWNA, CNA, CCNA)
    #2
    Simply put it goes like this:
    Client says: "Hey Server, 'I' want to logon" (challenge request)
    Server replies: "Here is a piece of text I want you to hash using your password as a key" (Challenge)
    Client hashes the challenge (not the password) using its password as the key and replies: "The outcome is xyz" (challenge response)
    Server knows the user's password and the challenge text it sent to the client, hence can perform the same calculation, if it the outcome is xyz the authentication request is accepted.

    Did you read our Sec+ TechNotes on this topic:
    http://www.techexams.net/technotes/s...tication.shtml
    Reply With Quote Quote  

  4. Senior Member /usr's Avatar
    Join Date
    Dec 2003
    Location
    West Virginia
    Posts
    1,776
    #3
    I guess what I want to know is how the server knows the users password so it can perform the same hash to authenticate the client. I get that the password isn't sent during the authentication of the client, but the server still has to get the users password, so how does it? I know this strays away from CHAP, which I now understand. Thanks.
    Reply With Quote Quote  

  5. Johan Hiemstra Forum Admin Webmaster's Avatar
    Join Date
    Jun 2002
    Location
    52n31, 6e06
    Posts
    10,383
    Blog Entries
    3

    Certifications
    MCSE NT4 MCSA 2000/2003 Security+ (expired: CWNA, CNA, CCNA)
    #4
    Ask yourself this: if the server doesn't have your password stored, how can it even check if you type in the correct password? Even if you would use PAP (clear-text) instead of CHAP or whatever authentication method.

    I.e. in a Windows 2000 domain, username and passwords are stored in the Active Directory. In Windows NT 4 environments it is stored in the SAM. Networks can also use a centralized database server to stored username and passwords combinations such as RADIUS.
    Reply With Quote Quote  

  6. Junior Member
    Join Date
    Oct 2003
    Location
    Norfolk, VA
    Posts
    11

    Certifications
    A+, Network+, CFOI, CISM, GSEC, GSLC, CISSP
    #5
    There is no such thing as a dumb question. If you had not asked yours, I would not now have Johans beautiful yet simple explanation. Thanks to both of you.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks