> On Thu, 16 Jul 1998, Toomas Losin wrote:
>
> > There is a form of CHAP that uses an encrypted password rather than
> > the plaintext. I know that newer versions of pppd support it.
>
> There can't be. The way CHAP authenticates is dependent on having
> the cleartext at both ends.
The CHAP protocol's dependent on having a shared secret but it doesn't
have to be a cleartext password, that's only one type of "authentication
algorithm" (as the RFC calls it).
M*crosoft created another, non-standard, algorithm that uses an
encrypted password as the shared secret. The only advantage is that
the original password can't be recovered (and used elsewhere) if one
end is compromised, there is no other increase in security.
References:
- RFC 1994 (CHAP)
- README.MSCHAP80 from the pppd distribution.
-- Toomas Losin ParaLynx Internet tlo@paralynx.com New Westminster, BC