Actually, no, MS-CHAP is exactly the same as CHAP in that respect -- all that was done was that they changed what they're considering to be the clear-text secret from a user-typed string to a string derived from a user-typed string via a hash and substituted a different verification hash. MS-CHAP works by first hashing the user's "password" via either DES or MD4 (depending on the version) into a key value. This key value is the value which is actually stored in the NT registry. The challenge is then encrypted using DES with this key value as the DES key to generate the response. (In much the same manner that standard CHAP hashes the challenge value plus the ID field and the shared secret using MD5.) Note that it's not at all necessary for a system cracker to have the user's "password" in order to authenticate himself to an NT server running MS-CHAP. All that is necessary is that key value, which is conveniently stored in clear-text form in the NT registry. There's no way an NT server can possibly tell whether the remote peer started with the user's "password" and hashed that to arrive at the key value, or if he had a stolen copy of the key value and skipped the initial step entirely. All it cares about is the result of the DES hash using the challenge and the key value alone. If you consider DES hash to be an acceptable substitute for the MD5 hash, then MS-CHAP is exactly the same as CHAP in terms of security up to this point. I'm not at all a Microsoft software expert, nor would I claim to know exactly what weaknesses are extant in their system. I do know that a utility called "PWDUMP" has been described in several industry publications and which claims to be able to dump the contents of the NT registry. If this includes the hashed user passwords (what I call the "key values" above), then I think they're sunk. MS-CHAP also offers the ability for a user to change his password once authenticated. If a cracker steals one of these key values and then uses this feature to change the key value for which he does know the "source" password, then he will be able to authenticate himself to the NT system for complete access as that user and will also conveniently lock out that pesky legitimate user. C2? Hmm. Interesting. --- James Carlson <carlson@xylogics.com>, Prin Engr Tel: +1 508 916 4351 Bay Networks - Annex I/F Develop. / 8 Federal ST +1 800 225 3317 Mail Stop BL08-05 / Billerica MA 01821-3548 Fax: +1 508 916 4789 ++ Ascend Users Mailing List ++ To unsubscribe: send unsubscribe to ascend-users-request@bungi.com To get FAQ'd: <<A HREF="http://www.shore.net/~dreaming/ascend-faq">http://www.shore.net/~dreaming/ascend-faq</A>> or <<A HREF="ftp://ftp.shore.net/members/dreaming/ascend-faq.txt">ftp://ftp.shore.net/members/dreaming/ascend-faq.txt</A>> </PRE> <!--X-MsgBody-End--> <!--X-Follow-Ups--> <!--X-Follow-Ups-End--> <!--X-References--> <HR> <STRONG>References</STRONG>: <UL> <LI><STRONG><A HREF="msg05913.html">Re: (ASCEND) CHAP authentication - I hate to ask, but...</A></STRONG></LI> <UL> <LI><EM>From</EM>: Andre Beck <beck@ibh-dd.de></LI> </UL> </UL> <!--X-References-End--> <!--X-BotPNI--> <HR> <UL> <LI>Prev by Date: <STRONG><A HREF="msg05917.html">(ASCEND) 56k/telco</A></STRONG> </LI> <LI>Next by Date: <STRONG><A HREF="msg05909.html">(ASCEND) MaxDial on NT with Microsoft Personal Fax software</A></STRONG> </LI> <LI>Prev by thread: <STRONG><A HREF="msg05913.html">Re: (ASCEND) CHAP authentication - I hate to ask, but...</A></STRONG> </LI> <LI>Next by thread: <STRONG><A HREF="msg05795.html">(ASCEND) Sportster/Max interoperability</A></STRONG> </LI> <LI>Index(es): <UL> <LI><A HREF="mail119.html#05915"><STRONG>Main</STRONG></A></LI> <LI><A HREF="thrd53.html#05915"><STRONG>Thread</STRONG></A></LI> </UL> </LI> </UL> <!--X-BotPNI-End--> <!--X-User-Footer--> <!--X-User-Footer-End--> </BODY> </HTML>