Authentication Protocols and Framework
PAP & CHAP
- PAP – Password Authentication Protocol – Very weak – sends username and password in cleartext
- CHAP – Challenge-Handshake Authentication Protocol – uses pre shared secret. Does not expose clear text password, and not susceptible to cleartext attack
To authenticate, the client first creates an initial (unauthenticated) connection via LCP (Link Control Protocol). The server then begins the 3-way CHAP authentication process:
- Server sends a challenge, which is a small random string (nonce).
- The user takes the challenge string and the password, uses a hash cipher such as MD5 to create a hash value, and sends that value back to the chap server as the response
- The CHAP server also hashes the password and challenge, creating the expected response with the response received from the user.
If the response are identical, the user must have entered the appropriate password and is authenticated. CHAP server may authenticate by sending a new challenge otherwise an attacker can replay an older response. The one drawback is the preshared secret is stored in in plaintext on the CHAP server.
802.1x and EAP
- 802.1x – Port based network access control
- EAP – Extensible authentication framework that describes many specific authentication protocols – designed to authenticate at layer2 (both wired and wireless)
- Supplicant – 802.1x client
- Authentication Server – Server that authenticates supplicant
- Authenticator – Device such as AP or switch that allows supplicant to authenticate and connect
Types of EAP
- EAP-MD5 – Weakest, client to server authentication only – susceptible to MitM and password cracking
- LEAP – Lightweight EAP – Cisco proprietary. Has significant security flaws
- EAP-FAST – EAP Flexible authentication via Secure tunneling – Designed by Cisco to replace LEAP which uses PAC (protected access control) acting as a pre shared key
- EAP-TLS – EAP Transport layer security – users PKI (requires client and server certificates). Very secure, but complex and costly
- EAP-TTLS – EAP Tunneled Transport layer security – Developed by Funk and Certicom. Simplifies EAP-TLS by dropping need for client side certificates
- PEAP – Protected EAP – Developed by Cisco, Microsoft and RSA. Like EAP-TTLS does not require client side certs
Virtual private networks VPNs secure data sent via insecure networks involving secure authentication, cryptographic hashes to provide integrity and ciphers to provide confidentiality.
SLIP and PPP
- SLIP – Serial line internet protocol – Layer 2 protocol that provides IP connectivity via asynchronous connections such as serial lines and modems. It allowed for routing packets via modem links
- PPP – Point to Point Protocol – designed to replace SLIP and is based on HDLC. Adds Confidentiality, Integrity and Authentication
PPTP and L2TP
- PPTP – Point to Point tunneling protocol – tunnels PPP via IP. Uses GRE to pass PPP via IP and TCP for control channel (TCP/1723)
- LT2P – Layer 2 tunneling protocol – combines PPTP and L2F (layer 2 forwarding). Focuses on authentication and does not provide confidentiality and is frequently used with IPSEC to provide encryption. Can be used on non-IP networks such as ATM.
IPv4 has no built in confidentiality unlike IPv6. IPSec has been ported to IPv4 to achieve that. IPsec is a suite of protocols; ESP encapsulating security protocol (ESP – Protocol 50) and Authentication Header (AH – Protocol 51).
- Host to gateway – client mode – VPN client
- Gateway to Gateway – point to point shared routable connection
- Host to Host – connects two systems to each other.
Tunnel and Transport Mode
- Tunnel Mode – Provides confidentiality (ESP) and/or Authentication (AH) to entire packet, including original IP headers. New IP headers are added with source and destinations of the IPSec Gateways)
- Transport Mode – protects IP data only leaving original IP headers unprotected
SSL and TLS
SSL was designed to protect HTTP data. HTTPS uses port 443. TLS is the latest version of SSL. Current version is TLS1.2. It can be used as VPN connections and is simpler than IPSec as IPSec makes fundamental changes to IP networking and requires super privileges to modify the OS. IPSec is also difficult to firewall unlike SSL
Integrated Services Digital Network (ISDN) was an earlier attempt to provide last mile digital service via copper pair via POTs. ISDN devices are called terminals. ISDN Basic Data Rate (BRI) service provides two 64K digital channels pls a 16k signalling channel. A PRI (Primary Rate Interface) provides 23 64K channels and one 16K signalling channel.
Digital subscriber Line (DSL) provides last mile solution using existing copper pairs.
|BRI||128Kbps||ISDN 2 64KB+1 16KD|
|PRI(na)||1.480Mbps||ISDN 23B+1D (all 64K) ~ T1|
|PRI(eur)||1.930Mbps||ISDN 30B+1D (all 64K) ~ E1|
|Asymmetric Digital Subscriber Line|
Nonmatching send/receive transmission rates
|HDSL||784+Kbps||Typically matching send/receive rates, can reach T1 speeds|
|SDSL||768Kbps||Single Line Digital Subscriber Line aka HDSL2|
|Very high rate Digital Subscriber Line|