Re: [saag] Improving the CHAP protocol

Peter Gutmann <> Sat, 21 September 2019 17:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7A17A120071 for <>; Sat, 21 Sep 2019 10:35:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rxfR0ZAdKgeS for <>; Sat, 21 Sep 2019 10:35:41 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B728812004C for <>; Sat, 21 Sep 2019 10:35:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1569087341; x=1600623341; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=Ulk9YZXjXlnYxYHhHXLNzTyJb9y8RmNCkoAYnYJqd2k=; b=GaeAP8FHCNEQD8QJGIIVsYZ+7MOshdj2UkZMHOp16t8IAN0na28UfWva NQC5VLVi/56QruhB1Yx9ESS2aM+MsyIGF4jmIqe03ZCrTVACGpIz5Osvf 19TjtS3y2UZnxhzlD287PaQXUMCrydqdKDqlDXo2TXp/GKtVkH7xKSroy hBw1enZxvInJdEDwcmcf9Hz5fgl+4h5KHsg1GYWYfcfBzSwdkhphPq+Ys qhNKr15h0KKNtnHwXh7lsJ+7OAaiV99VoM2RG6EgLVoJ2P+tVzSkKkKAO 26YZIB5e7zot4FBJDnqkxnARkQIS38/rmZdyIwfZa1dLPyc5oxfHedwps w==;
X-IronPort-AV: E=Sophos;i="5.64,532,1559476800"; d="scan'208";a="86956245"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 22 Sep 2019 05:35:38 +1200
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1395.4; Sun, 22 Sep 2019 05:35:36 +1200
Received: from ([]) by ([]) with mapi id 15.00.1395.000; Sun, 22 Sep 2019 05:35:36 +1200
From: Peter Gutmann <>
To: Maurizio Lombardi <>, "" <>
Thread-Topic: [saag] Improving the CHAP protocol
Thread-Index: AQHVbhyc2Z4QK0TjfkKunwtzmsdiH6c2aPb+
Date: Sat, 21 Sep 2019 17:35:35 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [saag] Improving the CHAP protocol
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 21 Sep 2019 17:35:44 -0000

I think many people in this thread are missing the purpose of the exercise.
CHAP is used because umpteen bajillion devices and systems need it, not
because it's a very good protocol.  It's insecure because it's CHAP, not
because it uses MD5.  Since it needs a one-way function, not a collision-
resistant function, any hash function is as good - or bad since CHAP isn't
very secure - as any other.  Switching from MD5 to polyquantumresistantind-
ccaprovable2048bithash will make no difference whatsoever to its security.

What the original poster asked for is something FIPS compliant.  If you want
to convince said umpteen bajillion devices to switch, you'd better use the
universal-standard FIPS-compliant hash algorithm that everything supports,
which is SHA-256, not a bunch of wierdo fashion-statement algorithms that
nothing supports, which is most of the other stuff that's been suggested.

Having said that, you'll have to accept that the vast majority of users will
keep going with MD5 more or less forever since there's no motive apart from
FIPS to change, so perhaps it'd be best to pitch the update RFC as "FIPS
compliance for CHAP" or something similar.