authenticate against SHA2 hash in EAP-MSCHAPv2

Stefan Winter stefan.winter at restena.lu
Wed Feb 28 12:36:28 CET 2018


Hello,

> - How can I make authentication protocol X work with passwords stored as Y?
> - You can't.
> 
> it's magic, thank you.

No, it's mathematics.

MSCHAP hashing destroys the cleartext password, and you can never get it
back.

SHA2 hashing destroys the cleartext password in a different way, you can
never get it back, and it is totally unrelated to what MSCHAP produces.

So,
- comparisons between cleartext and MSCHAP works: apply MSCHAP to
cleartext and compare results
- comparisons between cleartext and SHA2 works: apply SHA2 to cleartext
and compare results
- comparisons between MSCHAP and SHA2 does not work: two different
variants of gibberish are uncomparable

Stefan

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180228/7808aa97/attachment.sig>


More information about the Freeradius-Users mailing list