|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Peder Angvall (peder
angvall.com)Date: Tue Jul 03 2001 - 12:55:08 CDT
From RFC 1994 (CHAP):
"CHAP requires that the secret be available in plaintext form.
Irreversably encrypted password databases commonly available cannot
be used."
Peder
----- Original Message -----
From: "Carson Gaspar" <carsontaltos.org>
To: "Eric Vyncke" <evynckecisco.com>; <bugtraqsecurityfocus.com>
Sent: Monday, July 02, 2001 5:35 PM
Subject: Re: Cisco Security Advisory: IOS HTTP authorization vulnerability
>
>
> --On Friday, June 29, 2001 10:00 AM +0200 Eric Vyncke <evynckecisco.com>
> wrote:
>
> > As you probably know, for some password (used notably for SNMP, CHAP,
> > PAP, IKE, ...) there is a protocol need to get those passwords in the
> > clear. Hence, the obfuscation mechanism will always be reversible. Even
> > using 3DES will require a hard coded key hidden somewhere in the IOS
> > code (and a 'simple' reverse engineering will expose this key).
> >
> > Of course, suggestions are welcome
>
> For CHAP, do you actually need the password in the clear, or do you need
> the password+realm hash? The latter is far less dangerous.
>
> --
> Carson
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]