CHAP MSCHAP & SPAP -Which 2 require the password to be stored with reversible encrypt

DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
in Security+
I know that CHAP requires you to store the password using reversible encryption in AD. The book I'm reading says that MSCHAPv1 is the same but SPAP does not. I was thinking it was the other way, that MSCHAP didn't need reversible encryption but SPAP did.

Anyone know? My Darril Gibson book is currently out on loan right now.
Decide what to be and go be it.
· Share on FacebookShare on Twitter

Comments

  • PsoasmanPsoasman Member Posts: 2,687 ■■■■■■■■■□
    If I am remembering right, CHAP and SPAP use the reversible encryption. MS-CHAP does not.
    · Share on FacebookShare on Twitter
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    Psoasman wrote: »
    If I am remembering right, CHAP and SPAP use the reversible encryption. MS-CHAP does not.

    I was thinking the same thing, but the chart in my 299 book says CHAP and MSCHAP. I pulled out my 298 book and it contained the exact same chart. (With many of the identical paragraphs and notes) 293 book also said CHAP but didn't say much about SPAP or MSCHAP.

    So now I'm really at a loss. If MSCHAP required it, it would almost certainly be noted because it is so well known. SPAP is mostly mysterious since it never gets used. But how would the authors/editors of both books miss this error? icon_rolleyes.gif
    Decide what to be and go be it.
    · Share on FacebookShare on Twitter
  • instant000instant000 Member Posts: 1,745
    To my knowledge, storing passwords using reversible encryption is a "checkbox" that you choose to check, or not to check.

    PAP - password is transmitted as plain text, so security definitely isn't a concern here, if you're using this
    CHAP - both sides know the plain text, but do not send it in the clear
    MS-CHAP - deals with hashes, Microsoft provides an option of storing the password with reversible encryption

    Note: All are vulnerable to brute force, and M$ recommends having accounts set to lock out after a number of invalid attempts.

    Of course, if your password is "sniffed" or "cracked" or "discovered" or "shared" or "known" then any such preventive measures are invalid.

    So, to answer your question, I've not heard of your question phrased in that way.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    · Share on FacebookShare on Twitter
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    instant000 wrote: »
    To my knowledge, storing passwords using reversible encryption is a "checkbox" that you choose to check, or not to check.

    This is correct, however in some cases (such as when you are using CHAP on a VPN connection) if you don't check this then authentication will always fail.

    My question is, is it SPAP or MS-CHAP that also requires the password to be stored with reversible encryption?
    Decide what to be and go be it.
    · Share on FacebookShare on Twitter
  • instant000instant000 Member Posts: 1,745
    instant000 wrote:
    To my knowledge, storing passwords using reversible encryption is a "checkbox" that you choose to check, or not to check.
    Devilsbane wrote: »
    This is correct, however in some cases (such as when you are using CHAP on a VPN connection) if you don't check this then authentication will always fail.

    My question is, is it SPAP or MS-CHAP that also requires the password to be stored with reversible encryption?

    MS-CHAP stores hashes, the password is not stored. Reversing the encryption is an optional checkbox, that is NOT recommended.

    Also, the reason the VPN's fail is that they aren't designed to work with the randomizing that occurs with MS-CHAP's regeneration of magic numbers and whatever other hocus-pocus it tries to throw out there to make you "think" you have a more secure connection.

    If a product requires that you use reversible encryption, you may want to get away from that product. (if possible).

    Store passwords using reversible encryption: Security Configuration Editor

    PAP
    Password Authentication Protocol

    SPAP
    Shiva Password Authentication Protocol

    CHAP
    Challenge Handshake Authentication Protocol

    MS-CHAPV1
    Microsoft Challenge Handshake Authentication Protocol v1

    MS-CHAPV2
    Microsoft Challenge Handshake Authentication Protocol v2

    Based on reading these articles, the answer to your question is CHAP, SPAP

    Let me know if this helps :D
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    · Share on FacebookShare on Twitter
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    instant000 wrote: »
    Based on reading these articles, the answer to your question is CHAP, SPAP

    Let me know if this helps :D

    Not really lol. I've read these articles already, and due to the wording of SHIVA I agree with your assessment of MSCHAP and SPAP. This would mean that both books are wrong, and I want to be absolutely sure of that before I make the correction in them.

    The whole thing is pretty vague.

    Notice in the chap article it says
    3. Enable storage of a reversibly encrypted form of the user password.

    In SPAP all it says is
    Shiva Password Authentication Protocol (SPAP) is a reversible encryption mechanism employed by Shiva.
    It doesn't contain a step for enabling a reversibly encrypted password like CHAP does.

    In MS-CHAP1 it says
    is a nonreversible, encrypted password authentication protocol.

    Maybe I'm being too picky here, but I'm just looking for a (reputable) source that makes a statement in a fashion similar to how it is stated with CHAP before I make a correction in my two books.

    +rep for providing the sources, it is much appreciated.
    Decide what to be and go be it.
    · Share on FacebookShare on Twitter
  • instant000instant000 Member Posts: 1,745
    Please click one of the Quick Reply icons in the posts above to activate Quick Reply.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    · Share on FacebookShare on Twitter
Sign In or Register to comment.