CHAP question, may sound dumb...
This is taken from Tcat's full pdf.
The server challenges client.
The challenge message, ID, and secret (user's password) are hashed with MD5 and sent to the server.
The server performs the same hash.
It goes on to say CHAP doesn't send the password across the wire.
If that's the case, how does the server ever get the correct hash value to authenticate the client, if the password is part of the hash sent by the client?
Maybe I'm just overlooking the obvious...
The server challenges client.
The challenge message, ID, and secret (user's password) are hashed with MD5 and sent to the server.
The server performs the same hash.
It goes on to say CHAP doesn't send the password across the wire.
If that's the case, how does the server ever get the correct hash value to authenticate the client, if the password is part of the hash sent by the client?
Maybe I'm just overlooking the obvious...
Comments
Client says: "Hey Server, 'I' want to logon" (challenge request)
Server replies: "Here is a piece of text I want you to hash using your password as a key" (Challenge)
Client hashes the challenge (not the password) using its password as the key and replies: "The outcome is xyz" (challenge response)
Server knows the user's password and the challenge text it sent to the client, hence can perform the same calculation, if it the outcome is xyz the authentication request is accepted.
Did you read our Sec+ TechNotes on this topic:
I.e. in a Windows 2000 domain, username and passwords are stored in the Active Directory. In Windows NT 4 environments it is stored in the SAM. Networks can also use a centralized database server to stored username and passwords combinations such as RADIUS.