2011-04-09

iPAP

Slight surprise this week...

Getting data SIMs working better has been fun... proper username/password authentication as well as routed legacy IPv4. One day IPv6 I am sure...

But the systems did not cope, and one point that was in fact my bad was the handling of PAP. It's the 21st Century FFS - who does PAP?!?!

OK, and aside for the less technical: When you specify a user name and password for something it is quite common for that information to have to pass through several layers of communications to confirm you are who you say you are. You dont ideally want people to over hear that. There are two main ways to do this:-

CHAP:  (Challenge/Handshake Authentication Protocol). This involves cryptography, but basically means that you (and your 'device') know the password you provided (unavoidable) and so does the far end that is doing the checking. Nobody in between can see it or reproduce it later. In simple terms, imaging you have a Who goes there? whats the password? scenario. Instead of saying the password is "sesame" which someone could over hear and then come along later and repeat, you have "What is password 42?" and the answer is "sesame". Then later someone else comes along and is asked "What is password 69?" and they do not know as it is a different answer that is requited. Yes, cryptography is way more complex, but you get the idea - a challenge is given and a challenge specific answer is returned which can't then be used by someone else.

PAP: (Password Authentication Protocol). This is the Whats the password? and the reply "sesame". Someone can repeat it later. All those involved in passing on the messages get to know the password and could use it themselves. Messy.

Technically PAP as one advantage that the side doing the checking can use a hash, so they do not themselves need to know the password, but can check it is right. With CHAP they have to know the password to check it. But it is only the endpoints in CHAP so way safer as generally the logic is the end points trust each other.

So, turned on, and all falls over, my iPad will not work, and why?

Given a choice, an iPad will use PAP on the mobile data side!

WTF? Anyway this has lead to some reading of RFCs and some work on the LNS and a hurried test and release of new code, which works, and data SIMs work. PAP now works on the LNS... :-)

WTF do apple prefer PAP to CHAP?

No comments:

Post a Comment

Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.

Fencing

Bit of fun... We usually put up some Christmas lights on the house - some fairy lights on the metal fencing at the front, but a pain as mean...