Authentication protocol: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 01:02, 10 May 2021 edit Oshwah (talk \| contribs) Edit filter managers, Autopatrolled, Checkusers, Interface administrators, Oversighters, Administrators 500,034 edits m Reverted edits by 109.118.120.32 (talk): unexplained content removal (HG) (3.4.10) Tags: Rollback Reverted ← Previous edit		Latest revision as of 23:19, 10 July 2024 edit undo 96.82.74.94 (talk) Minor rewording Tag: Visual edit
(25 intermediate revisions by 23 users not shown)
Line 1: {{Short description\|Type of cryptographic protocol}} An '''authentication protocol''' is a type of computer [[communications protocol]] or [[cryptographic protocol]] specifically designed for transfer of [[authentication]] data between two entities. It allows the receiving entity to authenticate the connecting entity (e.g. Client connecting to a Server) as well as authenticate itself to the connecting entity (Server to a client) by declaring the type of information needed for authentication as well as syntax.<ref>{{cite web\|url = https://www.sans.org/reading-room/whitepapers/authentication/overview-authentication-methods-protocols-118\|title = An Overview of Different Authentication Methods and Protocols\|date = 23 October 2001\|access-date = 31 October 2015\|website = www.sans.org\|publisher = SANS Institute\|last = Duncan\|first = Richard}}</ref> It is the most important layer of protection needed for secure communication within computer networks. Line 13 ⟶ 14: # Alice sends Bob her password in a packet complying with the protocol rules. # Bob checks the received password against the one stored in his database. Then he sends a packet saying "Authentication successful" or "Authentication failed" based on the result.<ref>{{Cite book\|title = Fundamentals of Cryptology\|last = van Tilborg\|first = Henk C.A.\|publisher = Kluwer Academic Publishers\|year = 2000\|isbn = 0-7923-8675-2\|___location = Massachusetts\|pages = 66–67}}</ref> This is an example of a very basic authentication protocol vulnerable to many threats such as [[eavesdropping]], [[replay attack]], [[man-in-the-middle]] attacks, [[Dictionary attack\|dictionary attacks]] or [[Brute-force attack\|brute-force attacks]]. Most authentication protocols are more complicated in order to be resilient against these attacks.<ref>{{Cite book\|title = Internet Cryptography\|last = Smith\|first = Richard E.\|publisher = Addison Wesley Longman\|year = 1997\|isbn = 0-201-92480-3\|___location = Massachusetts\|pages = [https://archive.org/details/internetcryptogr0000smit/page/1 1–27]\|url = https://archive.org/details/internetcryptogr0000smit/page/1}}</ref> ==Types== ===Authentication protocols developed for PPP [[Point-to-Point Protocol]]=== Protocols are used mainly by [[Point-to-Point Protocol]] (PPP) servers to validate the identity of remote clients before granting them access to server data. Most of them use a password as the cornerstone of the authentication. In most cases, the password has to be shared between the communicating entities in advance.<ref>{{cite ~~document~~CiteSeerX\|title = Public-key cryptography and password protocols\|last = Halevi\|first = Shai\| year=1998 \| pages=230–268 \|citeseerx = 10.1.1.45.6423}}</ref> [[File:PAP 2way handshake.png\|thumb\|PAP 2-way handshake scheme\|461x461px]] Line 26 ⟶ 27: ====CHAP - [[Challenge-handshake authentication protocol]]==== The authentication process in this protocol is always ~~initialized~~initiated by the server/host and can be performed anytime during the session, even repeatedly. ~~Server~~The server sends a random string (usually 128B long). The client uses the password and the string received as ~~parameters~~input ~~for~~to ~~MD5~~a hash function and then sends the result together with username in plain text. ~~Server~~The server uses the username to apply the same function and compares the calculated and received hash. An authentication is successful orwhen the calculated and received hashes ~~unsuccessful~~match. ====[[Extensible Authentication Protocol\|EAP - Extensible Authentication Protocol]]==== EAP was originally developed for PPP(Point-to-Point Protocol) but today is widely used in [[IEEE 802.3]], [[IEEE 802.11]](WiFi) or [[IEEE 802.16]] as a part of [[IEEE 802.1x]] authentication framework. The latest version is standardized in RFC 5247. The advantage of EAP is that it is only a general authentication framework for client-server authentication - the specific way of authentication is defined in its many versions called EAP-methods. More than 40 EAP-methods exist, the most common are: Line 47 ⟶ 48: [[Remote Authentication Dial-In User Service]] (RADIUS) is a full [[AAA (computer security)\|AAA protocol ]] commonly used by [[ISP]]s. Credentials are mostly username-password combination based, and it uses [[Network access server\|NAS]] and [[User Datagram Protocol\|UDP]] protocol for transport.<ref>{{cite web\|url = http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-1/user/guide/acsuserguide/rad_tac_phase.html\|title = AAA protocols\|access-date = 31 October 2015\|website = www.cisco.com\|publisher = CISCO}}</ref> ====[[DIAMETER]]==== [[Diameter (protocol)]] evolved from RADIUS and involves many improvements such as usage of more reliable TCP or [[SCTP]] transport protocol and higher security thanks to [[Transport Layer Security\|TLS]].<ref>{{cite web\|url = http://www.ibm.com/developerworks/wireless/library/wi-diameter/\|title = Introduction to Diameter\|date = 24 January 2006\|access-date = 31 October 2015\|website = www.ibm.com\|publisher = IBM\|last = Liu\|first = Jeffrey}}</ref> ===Other=== Line 60 ⟶ 61: ==List of various other authentication protocols== * [[AKA (security)\|AKA]] * [[Basic access authentication]] * [[CAVE-based authentication]] * [[CRAM-MD5]]