CHAP MSCHAP & SPAP -Which 2 require the password to be stored with reversible encrypt

I know that CHAP requires you to store the password using reversible encryption in AD. The book I'm reading says that MSCHAPv1 is the same but SPAP does not. I was thinking it was the other way, that MSCHAP didn't need reversible encryption but SPAP did.

Anyone know? My Darril Gibson book is currently out on loan right now.

Find more posts tagged with

Comments

Psoasman

If I am remembering right, CHAP and SPAP use the reversible encryption. MS-CHAP does not.

Devilsbane

Psoasman wrote: »

If I am remembering right, CHAP and SPAP use the reversible encryption. MS-CHAP does not.

I was thinking the same thing, but the chart in my 299 book says CHAP and MSCHAP. I pulled out my 298 book and it contained the exact same chart. (With many of the identical paragraphs and notes) 293 book also said CHAP but didn't say much about SPAP or MSCHAP.

So now I'm really at a loss. If MSCHAP required it, it would almost certainly be noted because it is so well known. SPAP is mostly mysterious since it never gets used. But how would the authors/editors of both books miss this error?

instant000

To my knowledge, storing passwords using reversible encryption is a "checkbox" that you choose to check, or not to check.

PAP - password is transmitted as plain text, so security definitely isn't a concern here, if you're using this
CHAP - both sides know the plain text, but do not send it in the clear
MS-CHAP - deals with hashes, Microsoft provides an option of storing the password with reversible encryption

Note: All are vulnerable to brute force, and M$ recommends having accounts set to lock out after a number of invalid attempts.

Of course, if your password is "sniffed" or "cracked" or "discovered" or "shared" or "known" then any such preventive measures are invalid.

So, to answer your question, I've not heard of your question phrased in that way.

Devilsbane

instant000 wrote: »

To my knowledge, storing passwords using reversible encryption is a "checkbox" that you choose to check, or not to check.

This is correct, however in some cases (such as when you are using CHAP on a VPN connection) if you don't check this then authentication will always fail.

My question is, is it SPAP or MS-CHAP that also requires the password to be stored with reversible encryption?

instant000

instant000 wrote:

To my knowledge, storing passwords using reversible encryption is a "checkbox" that you choose to check, or not to check.

Devilsbane wrote: »

This is correct, however in some cases (such as when you are using CHAP on a VPN connection) if you don't check this then authentication will always fail.

My question is, is it SPAP or MS-CHAP that also requires the password to be stored with reversible encryption?

MS-CHAP stores hashes, the password is not stored. Reversing the encryption is an optional checkbox, that is NOT recommended.

Also, the reason the VPN's fail is that they aren't designed to work with the randomizing that occurs with MS-CHAP's regeneration of magic numbers and whatever other hocus-pocus it tries to throw out there to make you "think" you have a more secure connection.

If a product requires that you use reversible encryption, you may want to get away from that product. (if possible).

Store passwords using reversible encryption: Security Configuration Editor

PAP
Password Authentication Protocol

SPAP
Shiva Password Authentication Protocol

CHAP
Challenge Handshake Authentication Protocol

MS-CHAPV1
Microsoft Challenge Handshake Authentication Protocol v1

MS-CHAPV2
Microsoft Challenge Handshake Authentication Protocol v2

Based on reading these articles, the answer to your question is CHAP, SPAP

Let me know if this helps

Devilsbane

instant000 wrote: »

Based on reading these articles, the answer to your question is CHAP, SPAP

Let me know if this helps

Not really lol. I've read these articles already, and due to the wording of SHIVA I agree with your assessment of MSCHAP and SPAP. This would mean that both books are wrong, and I want to be absolutely sure of that before I make the correction in them.

The whole thing is pretty vague.

Notice in the chap article it says

3. Enable storage of a reversibly encrypted form of the user password.

In SPAP all it says is

Shiva Password Authentication Protocol (SPAP) is a reversible encryption mechanism employed by Shiva.

It doesn't contain a step for enabling a reversibly encrypted password like CHAP does.

In MS-CHAP1 it says

is a nonreversible, encrypted password authentication protocol.

Maybe I'm being too picky here, but I'm just looking for a (reputable) source that makes a statement in a fashion similar to how it is stated with CHAP before I make a correction in my two books.

+rep for providing the sources, it is much appreciated.

instant000

Please click one of the Quick Reply icons in the posts above to activate Quick Reply.