On Fri, 2 Feb 1996 nicholscs @
agedwards .
com wrote:
>
> This is a general security related question relating to incoming
> communications into a router. Specifically a remote user dialing into a
> router attached to an applications server.
>
> I have to make an argument comparing/contrasting the security levels between
> CHAP authentication and Token Authentication. The argument has been
> successfully made that Token authentication is generally considered to
> provide superior authentication. From a management viewpoint the question
> becomes - CHAP is basically free (manhours and implementation) vs. Token
> which can be expensive - therefore tell us why CHAP is inferior to Tokens
> for perimeter security?
>
> What threats does CHAP pose? Has CHAP been successfully penetrated? By
> what methods?
>
> I have read the RFC's on PPP and Authentication but am still unable to apply
> this to a real world threat.
>
> Thanks,
>
> Chris
> nicholscs @
agedwards .
com
>
>
>
>
>
Chap is usually implemented to provide "node" authentication. It gives a
reliable indication of the node from which an access request originates (or
the nearest link in some cases. ) You can generally determine whether
chap goes beyond node authentication by asking yourself this question:
"Does the authorized user get personally involved in this CHAP signon
(by entering a PIN or somesuch) every time access is requested?"
If the answer to that question is "no", then your CHAP implementation is
probably being performed automatically by the routers or commserver equipment
involved at both ends of the links being authenticated. This is the usual
and conventional way that CHAP has come to be used.
"Token-based" authentication is generally much more personal. The individual
user is directly involved in operating the authenticator and usually has to
enter a PIN or at least an additional password, every time. You know he's
there, alive and thinking. It's less convenient, but more secure.
Now let's look at a typical scenario:
Suppose your Commserver implements CHAP authentication transparently and
you allow your employees to telecommute into your LAN. Now suppose one or
more of your employees has teenaged kids that know how to operate a computer.
When your router authenticates your employee's computer in his home, it can't
tell whether it's your employee or his teenaged sibling knocking on the door.
Now suppose your employee has a LAN in his home. How good is that security?
Does his LAN reach out to other LANs? Can his modem slip or ppp out to
a commercial Internet provider? Have you just joined your corporate network
with the entire world? With the usual transparent CHAP implementations, you
should probably be worrying about all of the above. With token-based
authentication, you can reasonably tell your employee that every time a
session begins between your corporate LAN and his PC (or home LAN), you
know he will be personally present, and you can hold him personally
responsible for the reasonable activities he is expected to perform, until
he takes the link down. If he also uses that token when at the office,
you can be reasonably sure he'll keep it with him wherever he goes. That
will deny access to your LAN from his kids or from whoever can hop through
his PC while he's not there.
That's the way I see it (and I'm biased!)
Regards,
Bob Bosen
Enigma Logic Inc.
2151 Salvio St. #301
Concord, CA 94520
USA
Tel: +1 510 827-5707
Internet: bbosen @
netcom .
com
http://www.safeword.com
ftp://ftp.safeword.com/download/
**************************************************************************
* "It wasn't me!!! Somebody must have captured my username/password!!!" *
**************************************************************************
References:
|
|
