>From RFC 1994 (CHAP):
"CHAP requires that the secret be available in plaintext form.
Irreversably encrypted password databases commonly available cannot
be used."
Peder
----- Original Message -----
From: "Carson Gaspar" <[EMAIL PROTECTED]>
To: "Eric Vyncke" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Monday, July 02, 2001 5:35 PM
Subject: Re: Cisco Security Advisory: IOS HTTP authorization vulnerability
>
>
> --On Friday, June 29, 2001 10:00 AM +0200 Eric Vyncke <[EMAIL PROTECTED]>
> wrote:
>
> > As you probably know, for some password (used notably for SNMP, CHAP,
> > PAP, IKE, ...) there is a protocol need to get those passwords in the
> > clear. Hence, the obfuscation mechanism will always be reversible. Even
> > using 3DES will require a hard coded key hidden somewhere in the IOS
> > code (and a 'simple' reverse engineering will expose this key).
> >
> > Of course, suggestions are welcome
>
> For CHAP, do you actually need the password in the clear, or do you need
> the password+realm hash? The latter is far less dangerous.
>
> --
> Carson
>
