Re: PEAP / MSCHAP2 / LDAP

Thu, 26 Feb 2004 02:31:24 -0800

hi


I just can't leave it alone.... sorry...

yes it actually seems to bother you more than i would have expected, but well... :-)


You talk about an attacker attacking the NTHASH...

Why did you bring this in? I thought the discussion was about PEAP-MSCHAPV2 LDAP compatibility...

actually, for me it was kind of about clear-text password and challenge-response systems, but ok. i didn't want to think about it in mschap-dimensions only. the attack remark was supposed to clarify that mschap didn't essentially change the problem.


PEAP makes sure the attacker can't get at MSCHAPV2 and MSCHAPV2
allows the use of an database fill of hashed passwords which
could be considered safer than clear text...

So why talk about attacking the NTHASH... I don't understand... why?

i wasn't talking about attacks against NT-HASH and not about PEAP. we were talking about MS-CHAP (which actually exists without PEAP.)

i just made the remark that the system as you presented it does not change much for the discussion of the basics (which we were leading in my opinion). once again, for me, the only important point was that given one hash function it would be wrong to generally conclude that you can store the hashed password and then use the same hash function in the related challenge response protocol. ok? that is all that counts.

now, for the database... i agree that you gain the advantage of not storing the clear text passwords (however probably without any salt). but that has nothing to do with the equality of hashes etc. as i said, "nt-hash" is not equal "hash" in your own post and it still works.


Maybe you were talking about an inside attack, when the NTHASH
is retreived from LDAP? But again can't SSL be used to secure the line?

again, i wasn't talking about PEAP at all.


ciao
artur


--
__________________________________________________________
Artur Hecker                    http://www.enst.fr/~hecker
Groupe AccÃs et Mobilità  /  Computer Science and Networks
E N S T  Paris ___________________________________________


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to