A common misconception is that PAP is less secure than other authentication protocols such as CHAP, MS-CHAP, or EAP-MSCHAP(v2). This perception arises because of a misunderstanding of how PAP is actually used. In fact, PAP is often the most secure authentication protocol option available, and it’s what we usually recommend people use.
How can clear-text be secure?
PAP is said to transmit passwords in clear-text. This is the information which makes people believe that PAP is insecure. After all, how can a clear-text be secure?
The truth is that PAP does not transmit passwords in clear-text over the network. This critical point is usually overlooked.
The only part of the authentication process where PAP is transmitted “unprotected” is between the customer DSL equipment and the NAS (see Figure 1). Although it is technically possible to intercept this communication, it requires physical access to the wires between the customer or the ISP.
While this physical obstacle does not completely eliminate the risk of intercepting the password, the reality is that in practice, the risk is negligible. The only groups that are remotely likely to conduct covert operations that involve sneaking onto premises are government actors. This type of espionage is out of reach for your average hacker.
It’s also too expensive for the average attacker to drive your house, and hook up equipment to your DSL line.
The average hacker is much more likely to target the user database from the comfort of their own home, rather than to risk sneaking onto your home or business property. By far, the most common way to get peoples passwords is by breaking into the database which stores passwords.
In the event of a database breach, using PAP in your RADIUS ecosystem provides far better security than other protocol options. This is because when you use PAP, passwords can be stored in salted / hashed form. This is the most secure form of password storage. It means that if (or when) an attacker copies the database contents, they cannot use that information to “crack” peoples passwords.
In contrast, when you use CHAP, passwords must be stored in the database in plain-text format (See Figure 2). This means that if an attacker copies the database contents, they can see everyones password in the clear! It’s hard to imagine anything worse for security than having your password stolen.
It is important to note that this is not because of any inherent insecurity within the CHAP protocol itself, but with the constraints it puts on how passwords are stored in the database.
But what about WiFi / 802.1X?
Is PEAP+MS-CHAPv2 more secure than TTLS+PAP? After all, TTLS uses PAP, so it must be less secure, right?
No. TTLS+PAP is secure.
In fact, TTLS uses TLS encryption to protect your passwords when they are sent over the network. This is the same TLS encryption you use every day to log into web sites such as GMail, outlook.com, Facebook, etc. So if you trust TLS (via HTTPS) for your web surfing, you should also trust it for TTLS.
Choose your Shared Secrets wisely, they secure PAP!
When configuring FreeRADIUS, you must specify a “shared secret” between RADIUS and the NAS. This shared secret is used to secure the PAP passwords when they are sent over the network. A strong shared secret makes it difficult or impossible for an attacker to “crack” the passwords. We recommend a long (16 character or more), and random shared secret. Don’t use dictionary words!
As we see in step 3 of Figure 1, the NAS uses MD5 to create an encryption key which is based on the shared secret. Many people will see that “MD5 is broken”, and will worry about the security of this operation, but there is no cause for alarm.
MD5 is not perfect, but the shared secret makes it OK to use. In fact, after over three decades of analysis, there has yet to be a vulnerability found with how RADIUS uses MD5. All of the discussions of “MD5 is cracked” are for using MD5 in different ways, where there is no shared secret.
There is an important caveat however. The security of the MD5 encryption depends significantly on the choice of the shared secret between RADIUS and the NAS. If the Shared Secret is a weak password such as “hello” or “123password”, then it can be decrypted by brute force methods. However, if the shared secret is a strong choice such as Lf34^_QrTB*wbec0, then it cannot be practically broken.
In the FreeRADIUS default distribution, the default shared secret is testing123. Be sure to only use this shared secret for testing purposes, and to change it as soon as possible!
But I read that CHAP is more secure than PAP
It is true that much of the information online suggests that CHAP is more secure than PAP. However, many of the articles that make this claim contain half-truths, inaccuracies, and outright nonsense. See our recent article which debunks each of the claimed “facts” about PAP vs CHAP.
The bottom line
The most meaningful distinction between PAP and CHAP is really where clear text passwords are stored or transmitted. The distinction is not a naive repetition of “one is secure, and the other is not”.
When PAP is used, the most vulnerable part of your network is at the physical wires between the customer and the ISP. Due to historical issues with PPP the password is transmitted in clear text between these two points. Any attacker who can watch this link will only see one password.
When CHAP is used, the most vulnerable part of your network is your database, because the passwords must be stored there in clear text. Any attacker who gets into the database will see everyones passwords.
You already know this trade-off. Think back to the last dozen or so password breaches you read about in the media. How many of them were due to database breaches, and how many of them were due to physically intercepting traffic across wires? Database breaches are common, but we are hard pressed to find a single example of attackers breaking into networks by physically tapping into wires. That kind of attack is limited to governments with millions of dollars of equipment, and the movies.
The analysis we have done here is just one of the reasons we always recommend using PAP whenever possible. It’s more secure, it works in more situations, and it’s easier to use.
Need more help?
InkBridge Networks has been helping clients around the world design and deploy their RADIUS infrastructure for 20 years. We specialize in complex systems and have seen pretty much every variation and problem out there. If you want help from the people who wrote FreeRADIUS, visit our quote page to contact us for a consultation.
Related Articles
How authentication protocols work
There are a variety of authentication protocols to choose from, each with their own set of advantages, disadvantages, and constraints. In general, we recommend using PAP whenever possible. It is compatible with all known back-end databases, and it has no known security issues.
Authentication system and protocol compatibility
In many network configurations, there will be some transactions for which the RADIUS server will not perform the authentication itself, but simply pass credentials to a third party system and rely on the pass/fail response it gets from that system. Unfortunately, not all of these authentication systems work with all password storage formats.
Read More