CHAP question, may sound dumb...

/usr/usr Member Posts: 1,768
This is taken from Tcat's full pdf.

The server challenges client.
The challenge message, ID, and secret (user's password) are hashed with MD5 and sent to the server.
The server performs the same hash.

It goes on to say CHAP doesn't send the password across the wire.
If that's the case, how does the server ever get the correct hash value to authenticate the client, if the password is part of the hash sent by the client?

Maybe I'm just overlooking the obvious...


  • Options
    WebmasterWebmaster Admin Posts: 10,292 Admin
    Simply put it goes like this:
    Client says: "Hey Server, 'I' want to logon" (challenge request)
    Server replies: "Here is a piece of text I want you to hash using your password as a key" (Challenge)
    Client hashes the challenge (not the password) using its password as the key and replies: "The outcome is xyz" (challenge response)
    Server knows the user's password and the challenge text it sent to the client, hence can perform the same calculation, if it the outcome is xyz the authentication request is accepted.

    Did you read our Sec+ TechNotes on this topic:
  • Options
    /usr/usr Member Posts: 1,768
    I guess what I want to know is how the server knows the users password so it can perform the same hash to authenticate the client. I get that the password isn't sent during the authentication of the client, but the server still has to get the users password, so how does it? I know this strays away from CHAP, which I now understand. Thanks.
  • Options
    WebmasterWebmaster Admin Posts: 10,292 Admin
    Ask yourself this: if the server doesn't have your password stored, how can it even check if you type in the correct password? Even if you would use PAP (clear-text) instead of CHAP or whatever authentication method.

    I.e. in a Windows 2000 domain, username and passwords are stored in the Active Directory. In Windows NT 4 environments it is stored in the SAM. Networks can also use a centralized database server to stored username and passwords combinations such as RADIUS.
  • Options
    spanishmoonspanishmoon Member Posts: 12 ■□□□□□□□□□
    There is no such thing as a dumb question. If you had not asked yours, I would not now have Johans beautiful yet simple explanation. Thanks to both of you.
Sign In or Register to comment.