Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Authentication protocol
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
===Authentication protocols developed for PPP [[Point-to-Point Protocol]]=== Protocols are used mainly by [[Point-to-Point Protocol]] (PPP) servers to validate the identity of remote clients before granting them access to server data. Most of them use a password as the cornerstone of the authentication. In most cases, the password has to be shared between the communicating entities in advance.<ref>{{cite CiteSeerX|title = Public-key cryptography and password protocols|last = Halevi|first = Shai| year=1998 | pages=230–268 |citeseerx = 10.1.1.45.6423}}</ref> [[File:PAP 2way handshake.png|thumb|PAP 2-way handshake scheme|461x461px]] ====PAP - Password Authentication Protocol==== [[Password Authentication Protocol]] is one of the oldest authentication protocols. Authentication is initialized by the client sending a packet with [[credentials]] (username and password) at the beginning of the connection, with the client repeating the authentication request until acknowledgement is received.<ref>{{cite web|url = http://data.cedupoint.cz/oppa_e-learning/2_KME/044.pdf|title = Autentizacní telekomunikacních a datových sítích|access-date = 31 October 2015|publisher = CVUT Prague|last = Vanek|first = Tomas|archive-url = https://web.archive.org/web/20160304080620/http://data.cedupoint.cz/oppa_e-learning/2_KME/044.pdf|archive-date = 4 March 2016|url-status = dead}}</ref> It is highly insecure because credentials are sent "[[Plaintext|in the clear]]" and repeatedly, making it vulnerable even to the most simple attacks like [[eavesdropping]] and [[man-in-the-middle]] based attacks. Although widely supported, it is specified that if an implementation offers a stronger authentication method, that method ''must'' be offered before PAP. Mixed authentication (e.g. the same client alternately using both PAP and CHAP) is also not expected, as the CHAP authentication would be compromised by PAP sending the password in plain-text. ====CHAP - [[Challenge-handshake authentication protocol]]==== The authentication process in this protocol is always initiated by the server/host and can be performed anytime during the session, even repeatedly. The server sends a random string (usually 128B long). The client uses the password and the string received as input to a hash function and then sends the result together with username in plain text. The server uses the username to apply the same function and compares the calculated and received hash. An authentication is successful when the calculated and received hashes match. ====[[Extensible Authentication Protocol|EAP - Extensible Authentication Protocol]]==== EAP was originally developed for PPP(Point-to-Point Protocol) but today is widely used in [[IEEE 802.3]], [[IEEE 802.11]](WiFi) or [[IEEE 802.16]] as a part of [[IEEE 802.1x]] authentication framework. The latest version is standardized in RFC 5247. The advantage of EAP is that it is only a general authentication framework for client-server authentication - the specific way of authentication is defined in its many versions called EAP-methods. More than 40 EAP-methods exist, the most common are: *[[EAP-MD5]] *[[EAP-TLS]] *[[EAP-TTLS]] *[[EAP-FAST]] *EAP-[[Protected Extensible Authentication Protocol|PEAP]]
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)