Password Authentication Protocol: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 02:40, 18 May 2011 edit 129.21.50.118 (talk) No edit summary ← Previous edit		Latest revision as of 04:16, 28 March 2025 edit undo Hollyfeld (talk \| contribs) 133 edits m Removed a redundant link and fixed grammar
(48 intermediate revisions by 38 users not shown)
Line 1: '''Password Authentication Protocol''' ('''PAP''') is a [[password]]-based [[authentication protocol]] used by [[Point-to-Point Protocol]] (PPP) to validate users.<ref>{{Cite web\|date=2018-07-17\|title=Password Authentication Protocol (PAP)\|url=https://www.geeksforgeeks.org/password-authentication-protocol-pap/\|access-date=2020-11-08\|website=GeeksforGeeks\|language=en-US}}</ref> PAP is specified in {{IETF RFC\|1334}}. ~~{{Unreferenced\|date=December 2009}}~~ Almost all [[network operating system]]s support PPP with PAP, as do most [[network access server]]s. PAP is also used in [[PPPoE]], for authenticating DSL users. ~~A '''password authentication protocol''' (uncapitalized) is an [[authentication protocol]] that uses a [[password]].~~ As the [[Point-to-Point Protocol]] (PPP) sends data unencrypted and "in the clear", PAP is vulnerable to any attacker who can observe the PPP session. An attacker can see the users name, password, and any other information associated with the PPP session. Some additional security can be gained on the PPP link by using [[Challenge-Handshake Authentication Protocol\|CHAP]] or [[Extensible Authentication Protocol\|EAP]]. However, there are always tradeoffs when choosing an authentication method, and there is no single answer for which is more secure. ~~PAP is used by [[Point to Point Protocol]] to validate users before allowing them access to server resources. Almost all [[network operating system]] remote servers support PAP.~~ When PAP is used in PPP, it is considered a weak authentication scheme. Weak schemes are simpler and have lighter [[overhead (computing)\|computational overhead]] than more complex schemes, such as [[Transport Layer Security]] (TLS), but they are much more vulnerable to attack. Weak schemes are used where the transport layer is expected to be physically secure, such as a home [[DSL]] link. Where the transport layer is not physically secure a system such as TLS or [[Internet Protocol Security]] (IPsec) is used instead. PAP transmits unencrypted [[ASCII]] passwords over the network and is therefore considered insecure. It is used as a last resort when the remote server does not support a stronger authentication protocol, like [[Challenge-handshake authentication protocol\|CHAP]] or ~~[[Extensible Authentication Protocol\|EAP]] (while the last is actually a framework).<br />~~ '''<big>Password-based authentication</big>'''is the protocol that two entities share a password in advance and use the password as the basic of authentication. Existing password authentication scheme can be categorized into two types: weak-password authentication schemes and strong-password authentication schemes. In general, strong-password authentication protocols have the advantages over the weak-password authentication schemes in that their computational overhead are lighter, designs are simpler, and implementation are easier, and therefore are especially suitable for some constrained environments. ~~<br />~~ ~~'''<big>How to communicate securely over a public network</big'''>~~ ~~<br />~~ ~~It is common~~ ~~for two entities to authenticate each other in order to protect~~ ~~the privacy and later communication, but the cost in regard~~ ~~of computational overhead and storage is too high for certain~~ ~~applications such as PDA and mobile phone, etc. Another~~ ~~way of addressing this problem is that two entities share a~~ ~~password in advance and then use the password as the~~ ~~authentication token. Traditional password protocols are~~ ~~susceptible to off-line dictionary attack: many users choose~~ ~~password of relatively low entropy, so it is possible for the~~ ~~adversary to mount all possible password from a small~~ ~~dictionary. Compared to offline dictionary, online attacks is~~ ~~easy detected by simply placing a limit on the number of~~ ~~unsuccessful authentication attempts. So, the security of~~ ~~password-based protocols in particular requires that the~~ ~~protocol can not be broken by this kind of attack.~~ ==Other uses of PAP== PAP is also used to describe password authentication in other protocols such as [[RADIUS]] and [[Diameter (protocol)\|Diameter]]. However, those protocols provide for transport or network layer security, and therefore that usage of PAP does not have the security issues seen when PAP is used with PPP. ==Benefits of PAP== When the client sends a clear-text password, the authentication server will receive it, and compare it to a "known good" password. Since the authentication server has received the password in clear-text, the [[Password#Form of stored passwords\|format of the stored password]] can be chosen to be secure "at rest". If an attacker were to steal the entire database of passwords, it is computationally infeasible to reverse the function to recover a plaintext password. As a result, while PAP passwords are less secure when sent over a PPP link, they allow for more secure storage "at rest" than with other methods such as [[Challenge-handshake authentication protocol\|CHAP]]. ==Working cycle== PAP authentication is only done at the time of the initial link establishment, and verifies the identity of the client using a [[Handshake (computing)\|two-way handshake]]. Client sends username and password Server sends authentication-ack (if credentials are OK) or authentication-nak (otherwise) #Client sends username and password. This is sent repeatedly until a response is received from the server. ==PAP Packets==▼ #Server sends authentication-ack (if credentials are OK) or authentication-nak (otherwise)<ref name="Forouzan2007">{{cite book\|author=Forouzan\|title=Data Commn & Networking 4E Sie\|url=https://books.google.com/books?id=6HaNKmfBK1oC&pg=PA352\|accessdate=24 November 2012\|year=2007\|publisher=McGraw-Hill Education (India) Pvt Limited\|isbn=978-0-07-063414-5\|pages=352–}}</ref> ▲==PAP ~~Packets~~packets== {\| class="wikitable" \|- ! Description Line 76 ⟶ 63: C023 (hex). {\| class="wikitable" \|- !Flag !Address Line 87 ⟶ 73: ==See also== * SAP – [[Service Access Point]] * CHAP - [[Challenge-handshake authentication protocol]] * EAP - [[Extensible Authentication Protocol]] * RFC 1334 – PPP Authentication Protocols * [[Password-authenticated key agreement]] protocols ==Notes== ~~{{DEFAULTSORT:Password Authentication Protocol}}~~ {{reflist}} ~~[[Category:Password authentication]]~~ [[Category:Internet protocols]]▼ ~~[[Category:Computer access control protocols]]~~ ==References== * {{cite IETF \|title=PPP Authentication Protocols \|rfc=1334 \|sectionname=Password Authentication Protocol \|page=2 \|first1=Brian \|last1=Lloyd \|first2=William Allen \|last2=Simpson \|year=1992 \|publisher = [[Internet Engineering Task Force\|IETF]] \|accessdate=16 July 2015}} {{Authentication APIs}} ~~{{Compu-network-stub}}~~ [[csCategory:Password authentication ~~protocol~~]] ▲[[Category:Internet protocols]] ~~[[de:Password Authentication Protocol]]~~ [[elCategory:~~Password~~ Authentication ~~Protocol~~protocols]] ~~[[es:Password Authentication Protocol]]~~ ~~[[fa:پروتکل تأیید گذرواژه]]~~ ~~[[fr:Password Authentication Protocol]]~~ ~~[[it:Password authentication protocol]]~~ ~~[[nl:Password Authentication Protocol]]~~ ~~[[ja:Password Authentication Protocol]]~~ ~~[[pl:Password Authentication Protocol]]~~ ~~[[pt:Password authentication protocol]]~~ ~~[[ru:PAP]]~~ ~~[[sr:Протокол за аутентикацију шифре]]~~