PAP vs CHAP. Is PAP less secure?

There's a lot of bad advice out there.

One of the most common questions about RADIUS security asks “Is PAP secure?” The usual answer is “no”, which is (in our opinion) seriously misleading. A better answer is “Here’s a comparison of PAP and CHAP, so that you can make an informed decision for yourself”. The end result? It may not be what you think!

There is a lot of confusion around the security of PAP versus CHAP. While there are many web sites which clain to compare the security of these two authentication methods, most of these comparisons are shockingly wrong. We are writing this, and other, articles in order to correct the misconceptions around PAP vs CHAP. We will go through the misconceptions one by one, explain why they’re wrong, and what the real answer is.

The points below are summarized from a variety of other sites which give the poor advice about PAP versus CHAP. We won’t link to the sites which contain these misconceptions. There is no reason to give them additional traffic or page ranking.

Claim: PAP is a two-step process, CHAP is a three-step process

This point has very little to do with security, of course. Worse, this statement is true only for the PPP link between the end-user system and the NAS. Both PAP and CHAP end up in a RADIUS Access-Request packet, which gets an Access-Accept (or Access-Reject) reply.

Which means that when we look at how PAP and CHAP are used outside of that single PPP link, they are both a two-step process.

Claim: CHAP can do multiple authentications per session, and PAP cannot.

It is true that RFC 1994 Section 2 says that in PPP, any CHAP authentication “is done upon initial link establishment, and MAY be repeated anytime after the link has been established.” (emphasis in original).

However, this statement is not true for RADIUS. There are no provisions in RADIUS for a user to re-authenticate in the middle of a session.

Which means that when RADIUS is being used, both PAP and CHAP authenticate the user once, and that’s that.

Claim: CHAP is more secure, as the passwords are encrypted, while PAP sends passwords in the clear

This statement is true only for limited scenarios. Most of the time this claim is seriously misleading, if not outright wrong.

It is true that when PPP is used, the PAP passwords are sent over the PPP link in “the clear”. However, this statment is not true for every other situation where PAP is used.

When a PAP password is sent in a RADIUS packet, the password is encrypted using the shared secret. It is therefore impossible for an attacker to see the PAP password in a RADIUS packet. (Despite that security, we still recommend using RADIUS over TLS or IPSec, for a host of reasons.)

The truth is that protocol designers aren’t stupid. If a protocol needs to send PAP passwords, those passwords are almost always encrypted and/or secured via TLS. The only time the passwords aren’t secure is in historical protocols such as PPP, which are used in very limited situations, where the links are physically secure.

In fact, this is main place where people can “sniff” cleartext PAP passwords: the DSL link between a home router and your ISP. In constrast, when CHAP is used, the database must contain all users clear-text passwords. All of the time.

So you have to ask yourself, what’s more likely, that someone will “tap” your local phone line and steal one password? Or that someone will attack your local ISP, and steal all of the users clear-text passwords from its database?

Before you jump into giving an answer, we suggest checking the Have I been pwned site. There is a high probability that one or more of your accounts are already listed there.

The problem of an ISP or enterprise losing its password database is made worse by the issues discussed in the how authentication protocols work and protocol compatibility pages. Without repeating those articles, using CHAP means that all passwords have to be stored as clear-text in the database. Whereas using PAP means that passwords can be stored securely in the database.

When passwords are stored securely in the database, then it matters a lot less if an attacker steals a copy of the database. Modern password storage methods make it extremely difficult for an attacker to run “brute-force” cracking tools on stolen passwords.

Which means that for almost all possible situations it is much more secure to use PAP rather than CHAP.

Claim: CHAP sends encrypted usernames and passwords, while PAP sends unencrypted usernames and passwords

This statement is wrong.

CHAP does not encrypt user names.

This statement is simply bizarre.

CHAP does send a version of the password over the link. Anyone who says otherwise is seriously confused about how CHAP works. An attacker who can see the PAP password (over PPP) can also see the entire CHAP exchange, too.

An attacker who can observe the PPP link can still crack CHAP authentication via “brute-force” attacks. Which means that this comparison is simply wrong, and misleading.

Claim: CHAP protects from trial-and-error attacks, PAP does not.

This statement is also wrong.

There are no provisions in PPP / CHAP for preventing “brute force” trial and error attacks. Anyone can try to log in again and again, either with CHAP or with PAP. There are no differences between the two for trial-and-error attacks.

Claim: PAP is less widely used than CHAP, due to the insecurity of PAP

Our experience at Network RADIUS has been the opposite. PAP is much more widely used than CHAP.

We will give our recommended choice at the end of this article. Though we are sure that by now, you can probably guess which one we recommend.

Claim: CHAP authentication is done by both client and server, PAP is only done on the server side

This statement is wrong.

CHAP does not allow for a server to authenticate itself to a client or end-user machine.

The MS-CHAP authentication protocol allows for two-way authentication, but it has many of the same issues as CHAP.

Claim: PAP is only for authenticating users, CHAP can authenticate users or network hosts

It is not clear where this claim originates from, but it has nothing at all to do with network security.

Both CHAP and PAP are generally carried inside of PPP, which authenticates one end of the PPP link. The nature of PPP means that it can be used for any situation which requires authentication, user or network host.

Our Recommendation: PAP or CHAP?

As we have seen above, the typical claims about PAP versus CHAP security are wrong, misleading, confused, or just irrelevant.

But before we give our answer, we would like to give one additional point about why we are making this particular recommendation.

The truth is that network security is about the security of your entire network. You cannot look at one piece in isolation, and declare “this one thing is secure, so the rest of the network must be secure, too”.

There are always trade-offs in security. A decision made for one part of the network can affect other parts of the same network. As a result, any purely “local” approach to network security is guaranteed to result in a less secure network.

So the real question we should be answering is not “which is more secure, PAP or CHAP?”. Instead, the question we should be answering is “Which one (PAP or CHAP) allows your entire network to be as secure as possible?”

The answer is, of course, PAP.

For people who understand the trade-offs between PAP and CHAP, this is the only answer. We always recommend that our customers use PAP instead of CHAP. We only configure systems with CHAP when, for historical reasons, the customer cannot use PAP.

Need more help?

Network RADIUS has been helping clients around the world design and deploy their RADIUS infrastructure for 20 years. We specialize in complex systems and have seen pretty much every variation and problem out there. If you want help from the people who wrote FreeRADIUS, visit our quote page to contact us for a consultation.

Read more...

related articles