[REVS] Cheating CHAP

From: support@securiteam.com
Date: 02/24/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 24 Feb 2002 23:23:12 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Cheating CHAP
------------------------------------------------------------------------

SUMMARY

A paper explaining the weakness in the CHAP protocol as used within PPP
and PPTP has been released. The vulnerability described allows for
authentication in PPTP networks without knowing valid a login and
password.

DETAILS

Abstract:
The Challenge Handshake Authentication Protocol (CHAP) is used to verify
the identity of a peer in a 3-way handshake and is usually embedded in
other protocols, commonly PPP. Several extensions (MS-CHAP) exist to allow
the encryption of link layer packets via CHAP authenticated connections.
In this paper, the paper describes how CHAP may be attacked, gaining
unauthorized access to CHAP protected dial-ins, or VPN and show that CHAP
is not the right protocol to authenticate clients in IP networks.

ADDITIONAL INFORMATION

The complete paper can be downloaded from:
 <http://stealth.7350.org/chap.pdf> http://stealth.7350.org/chap.pdf

The information has been provided by <mailto:krahmer@cs.uni-potsdam.de>
Sebastian Krahmer.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: How secure is Digest Mode compared to Integrated Authenticatio
    ... Secure authentication protocols like Integrated does not support ... Because the protocol never passes username/ ... document which delineates the weaknesses of Digest mode. ... password integrity is. ...
    (microsoft.public.inetserver.iis.security)
  • RE: Passwords with Lan Manager (LM) under Windows
    ... A device's security associations are contained in its Security Association Database ... Internet Protocol Security (IPSec) provides application-transparent encryption services for IP network traffic as well as other network access protections for the Windows 2000 operating system. ... As for "article you reference does indeed use the phrase "IPSec Authentication," but as any who reads it ...
    (Pen-Test)
  • Re: How secure is Digest Mode compared to Integrated Authenticatio
    ... However, Digest is still weak against attacks like man-in-the-middle, ... It is unfortunate that the more secure authentication protocols ... password integrity is. ... b users must authenticate with *some* protocol from the Intranet and ...
    (microsoft.public.inetserver.iis.security)
  • new authentication protocol, possible SRP alternative
    ... I've been studying authentication protocols lately and am interested ... I've designed a protocol that appears to me to provide the same ... Bob stores: ... An attacker who discovers K should ...
    (sci.crypt)
  • [Full-disclosure] Fwd: hamachi p2p vpn nat-friendly protocol details
    ... are used for encryption and authentication. ... Crypto suite is essentially just a protocol number. ... a prototype and it soon become obvious that both SSL and IKE ... I sort of wonder at the utility of a TCP implementation of the p2p ...
    (Full-Disclosure)