On 30/03/12 10:38, Fajar A. Nugraha wrote:
How easy is it to crack
such a password? An authentification wouldn't have happened but the
attacker would have had the encrypted usernames and passwords.
They won't.
Not immediately. But MSCHAP is a complex (and old) algorithm, and it is
possible to perform a known-ciphertext attack. See e.g.
http://code.google.com/p/mschapv2acc/
I'd wager this attack could be improved a lot by capturing multiple
chal/resp pairs and doing clever stuff with them, but my crypto maths
are very rusty by this point.
The takeaway is that you should not be doing MSCHAP over an insecure
channel, IMO.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
