Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Peder Angvall (pederangvall.com)
Date: Tue Jul 03 2001 - 12:55:08 CDT
From RFC 1994 (CHAP):
"CHAP requires that the secret be available in plaintext form.
Irreversably encrypted password databases commonly available cannot
----- Original Message -----
From: "Carson Gaspar" <carsontaltos.org>
To: "Eric Vyncke" <evynckecisco.com>; <bugtraqsecurityfocus.com>
Sent: Monday, July 02, 2001 5:35 PM
Subject: Re: Cisco Security Advisory: IOS HTTP authorization vulnerability
> --On Friday, June 29, 2001 10:00 AM +0200 Eric Vyncke <evynckecisco.com>
> > As you probably know, for some password (used notably for SNMP, CHAP,
> > PAP, IKE, ...) there is a protocol need to get those passwords in the
> > clear. Hence, the obfuscation mechanism will always be reversible. Even
> > using 3DES will require a hard coded key hidden somewhere in the IOS
> > code (and a 'simple' reverse engineering will expose this key).
> > Of course, suggestions are welcome
> For CHAP, do you actually need the password in the clear, or do you need
> the password+realm hash? The latter is far less dangerous.