Women in Technology

Hear us Roar



Article:
  A Technical Comparison of TTLS and PEAP
Subject:   MS-Chap is designed for MS Databases
Date:   2003-07-28 16:11:26
From:   anonymous2
Response to: MS-Chap is designed for MS Databases

Actually it is correct, but probably deserves a more detailed explanation.


>> It is trivial to create the hash from the clear text password, and this can
>> be done by the RADIUS server during authentication.


This is correct, but unfortunately in a PEAP(MS-CHAP-V2) exchange, the RADIUS server never receives the clear text password from the user.


Remember, CHAP, MS-CHAP and MS-CHAP-V2 are all challenge based exchanges, where the server generates a random challenge, and sends it to the supplicant. The supplicant then uses that challenge to hash the userís password, returning the result in a challenge response to the server. The server then uses the same challenge that was sent to the supplicant to hash it's stored version of the password, and it compares it's result with the result returned in the challenge response. If they match, then the user must have supplied the same password that the server retrieved from the database.


The tricky part is that with MS-CHAP, when the supplicant receives the challenge from the server, it hashes the NT-Hash of the password with the challenge, and returns the NT-HASH-HASH of the password in the challenge response. This means that the server also has to use the NT-Hash of the password as input in order for the results to match.


Hopefully it makes a bit more sense this time :)
The bottom line:
PEAP(MS-CHAP-V2) will only work when the database that the RADIUS server is pointing to stores the userís NT-HASH of their password.

Full Threads Oldest First

Showing messages 1 through 1 of 1.

  • MS-Chap is designed for MS Databases
    2003-08-18 05:29:28  anonymous2 [View]

    >This is correct, but unfortunately in a PEAP(MS->CHAP-V2) exchange, the RADIUS server never >receives the clear text password from the user.

    Correct... But I think you are missing the point.
    The message above is talking about the cleartext password being available on the server side, read from a database of some kind and not sent by the client as you stated.

    >The bottom line:
    >PEAP(MS-CHAP-V2) will only work when the >database that the RADIUS server is pointing to >stores the user’s NT-HASH of their password.

    Wrong...

    Let's think about this. To get the NT-HASH of the password on the client side you will need to NT-HASH the cleartext password typed in by the user.

    Hmmm to get the NT-HASH password on the server side you need to either have the NTHASH of the
    clear-text password OR.... have the clear-text password and NT-HASH that... so to add to your bottom line:
    PEAP(MS-CHAP-V2) will only work when the database that the RADIUS server is pointing to stores the user’s NT-HASH of their password or uses a clear-text password to create the NT-HASH.


    :P

    SW2.