Authentication Protocols

Previous page
Table of content
Next page

Two primary technologies are required for securing data transmissions: encryption and authentication. Encryption was discussed earlier; in this section, authentication protocols are reviewed.

When designing a remote connection strategy, it is critical to consider how remote users will be authenticated. Authentication defines the way in which a remote client and server will negotiate on a user's credentials when the user is trying to gain access to the network. Depending on the operating system used and the type of remote access involved, several different protocols are used to authenticate a user. The following authentication protocols are used with various technologies, including PPP:

  • Challenge Handshake Authentication Protocol (CHAP) CHAP is an authentication system that uses the MD5 encryption scheme to secure authentication responses. CHAP is a commonly used protocol, and as the name suggests, anyone trying to connect is challenged for authentication information. When the correct information is supplied, the systems "shake hands," and the connection is established.

  • Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) MS-CHAP, based on CHAP, was developed to authenticate remote Windows-based workstations. There are two versions of MS-CHAP; the main difference between the two is that MS-CHAP version 2 offers mutual authentication. This means that both the client and the server must prove their identities in the authentication process. Doing so ensures that the client is connecting to the expected server.

  • Password Authentication Protocol (PAP) PAP is the least secure of the authentication methods because it uses unencrypted passwords. PAP is often not the first choice of protocols used; rather, it is used when more sophisticated types of authentication fail between a server and a workstation.

  • Extensible Authentication Protocol (EAP) EAP is an extension made to standard PPP. EAP has additional support for a variety of authentication schemes including smart cards. It is often used with VPNs to add security against brute-force or dictionary attacks.

  • Shiva Password Authentication Protocol (SPAP) SPAP is an encrypting authentication protocol used by Shiva remote access servers. SPAP offers a higher level of security than other authentication protocols such as PAP, but it is not as secure as CHAP.

Remote Authentication Dial-In User Service (RADIUS)

Among the potential issues network administrators face when implementing remote access are utilization and the load on the remote access server. As a network's remote access implementation grows, reliance on a single remote access server might be impossible, and additional servers might be required. RADIUS can help in this scenario.

RADIUS is a protocol that enables a single server to become responsible for all remote access authentication, authorization, and auditing (or accounting) services. The RADIUS protocol can be implemented as a vendor-specific product such as Microsoft's Internet Authentication Server (IAS).

RADIUS functions as a client/server system. The remote user dials in to the remote access server, which acts as a RADIUS client, or network access server (NAS), and connects to a RADIUS server. The RADIUS server performs authentication, authorization, and auditing (or accounting) functions and returns the information to the RADIUS client (which is a remote access server running RADIUS client software); the connection is either established or rejected based on the information received.

Kerberos

Seasoned administrators can tell you about the risks of sending clear-text, unencrypted passwords across any network. The Kerberos network authentication protocol is designed to ensure that the data sent across networks is safe from attack. Its purpose is to provide authentication for client/server applications.

Kerberos authentication works by assigning a unique key (called a ticket), to each client that successfully authenticates to a server. The ticket is encrypted and contains the password of the user, which is used to verify the user's identity when a particular network service is requested.

Kerberos was created at Massachusetts Institute of Technology to provide a solution to network security issues. With Kerberos, the client must prove its identity to the server, and the server must also prove its identity to the client. Kerberos provides a method to verify the identity of a computer system over an insecure network connection.

For the exam, you should know that the security tokens used in Kerberos are known as tickets.


Kerberos is distributed freely, as is its source code, allowing anyone interested to view the source code directly. Kerberos is also available from many different vendors that provide additional support for its use.


    Previous page
    Table of content
    Next page
    Network+ Exam Cram 2
    Network+ Exam Cram 2
    ISBN: 078974905X
    EAN: N/A
    Year: 2003
    Pages: 194
    BUY ON AMAZON
    OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
    Kanban Made Simple: Demystifying and Applying Toyotas Legendary Manufacturing Process
    SQL Hacks
    Cisco CallManager Fundamentals (2nd Edition)
    File System Forensic Analysis
    The Oracle Hackers Handbook: Hacking and Defending Oracle
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy