Stopping Someone from Using Your License
(Password)
Although most everyone reading this book probably has a valid
driver's license, some people use fake, illegal driver's licenses. One way to
make a fake driver's license work well, even when you are pulled over by a
policeman, is to use a name and driver's license number of someone who has a
real, valid driver's license.
Sending your passwords using PAP is similar to letting everyone
know your driver's license number. It's not likely that someone will make a fake
driver's license using your number right away, but you are exposed to the
possibility. PAP sends the username and password in clear-text. That means anyone with
the right tools can actually read your username and password, as clear as you
can see the words on this page. Remember: The cable over which your packets flow
is between your house and the central office (CO), so it's not too hard to
imagine that someone could gain physical access to your phone line and figure
out the data you are sending over the wire. All someone would have to do is walk
up to the side of your house and use the right tools, and he would know what
bits you are sending to and from the Internet.
People can use tools to see your frames that cross a LAN as
well. You can attach a type of device called a network analysis
tool, often called a sniffer, to a LAN to capture the
frames crossing the LAN. If the protocols that transfer the usernames and
passwords worked like PAP, and sent the passwords as clear-text, people could
find your passwords using a sniffer. I have seen passwords dozens of times while
using a sniffer (without trying)it's that easy. (Sniffer is a trademark of the
Network Associates Corp.; the word sniffer is
somewhat synonymous with this type of analysis and packet capture tool.) You can
download free analysis tools from Internet sites and make any PC work like a
sniffer.
To protect against password theft, CHAP does not send the
password as clear-text. Many application protocols also work similarly to CHAP,
not sending the passwords in clear-text. So, whether your PC is offered a
username and password prompt when you connect to the Internet, or whether you
are providing a password to a web server, the protocols often don't send the
password as clear text.
The process of using CHAP starts when the ISP customer first
connects to the ISP. With modems, that occurs when the customer clicks something
on the computer that causes the modem to call a phone number at the ISP. With
DSL, that happens as soon as the DSL modem comes up again after being powered
off. Outwardly, the user experiences the same thing: He is prompted for his
username (Fred) and password (b0Wling). (Some users set up their software so
that they type in the username and password once, and then it's saved, so you
might not be prompted every time you connect to the Internet.) If the username
and password are correct and the account is current/paid, the ISP approves the
connection. If the username or password are wrong, the ISP typically hangs up if
it's a modem connection; if it's a DSL connection, the ISP just doesn't allow
the PPP data link protocol to keep working. Regardless of the detail, as with
other authetication tasks, the user can continue working only if the username
and password are correct.
CHAP has many useful features, including a way to prevent the
password from being by someone using a sniffer. Figure 17-5 shows several steps about what happens behind
the scenes with CHAP, including how it keeps the password private.
Sections
Comments (0 posted)
Syndication
