Wikipedia

Password Authentication Protocol: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
m Disambiguating links to TLS (link changed to Transport Layer Security; link changed to Transport Layer Security) using DisamAssist.
m copyedit
Line 1:
'''Password Authentication Protocol''' ('''PAP''') is a [[password]]-based [[authentication protocol]] used by [[Point -to Point Protocol|Point to -Point Protocol]] (PPP)]] to validate users.<ref>{{Cite web|date=2018-07-17|title=Password Authentication Protocol (PAP)|url=https://www.geeksforgeeks.org/password-authentication-protocol-pap/|access-date=2020-11-08|website=GeeksforGeeks|language=en-US}}</ref> PAP is specified in {{IETF RFC|1334}}.
 
Almost all [[network operating system]]s support PPP with PAP, as do most [[network access server]]s. PAP is also used in [[PPPoE]], for authenticating DSL users.
 
As the [[Point -to Point Protocol|Point to -Point Protocol]] (PPP)]] sends data unencrypted and "in the clear", PAP is vulnerable to any attacker who can observe the PPP session. An attacker can see the users name, password, and any other information associated with the PPP session. Some additional security can be gained on the PPP link by using [[Challenge-handshakeHandshake authenticationAuthentication protocolProtocol|CHAP]] or [[Extensible Authentication Protocol|EAP]]. However, there are always tradeoffs when choosing an authentication method, and there is no single answer for which is more secure.
 
When PAP is used in PPP, it is considered a weak authentication scheme. Weak schemes are simpler and have lighter [[overhead (computing)|computational overhead]] than more complex schemes such as [[Transport Layer Security|Transport Layer Security]] (TLS)]], but they are much more vulnerable to attack. While weak schemes are used where the transport layer is expected to be physically secure, such as a home [[DSL]] link. Where the transport layer is not physically secure a system such as [[Transport Layer Security|Transport Layer Security (TLS)]] or [[IPSecIPsec|Internet Protocol Security (IPsec)]] is used instead.
 
===Other Uses of PAP===
 
===Other Usesuses of PAP===
PAP is also used to describe password authentication in other protocols such as [[RADIUS]] and [[Diameter]]. However, those protocols provide for transport or network layer security, and this do not have the security issues seen when PAP is used with PPP.
 
===Benefits of PAP===
 
When the client sends a clear-text password, the authentication server will receive it, and compare it to a "known good" password. Since the authentication server has received the password in clear-text, the [[Password#Form_of_stored_passwords|format of the stored password]] can be chosen to be secure "at rest". If an attacker were to steal the entire database of passwords, it is computationally infeasible to reverse the function to recover a plaintext password.
 
Line 18 ⟶ 16:
 
==Working cycle==
PAP authentication is only done at the time of the initial link establishment, and verifies the identity of the client using a [[Handshakinghandshaking|two-way handshake]].
 
#Client sends username and password. This is sent repeatedly until a response is received from the server.
#Server sends authentication-ack (if credentials are OK) or authentication-nak (otherwise)<ref name="Forouzan2007">{{cite book|author=Forouzan|title=Data Commn & Networking 4E Sie|url=https://books.google.com/books?id=6HaNKmfBK1oC&pg=PA352|accessdate=24 November 2012|year=2007|publisher=McGraw-Hill Education (India) Pvt Limited|isbn=978-0-07-063414-5|pages=352–}}</ref>
 
==PAP Packetspackets==
{| class="wikitable"
|-
!
Description
Line 66 ⟶ 63:
C023 (hex).
{| class="wikitable"
|-
!Flag
!Address
Line 77 ⟶ 73:
 
==See also==
* SAP - [[Service Access Point]]
 
==Notes==
Line 87 ⟶ 83:
{{Authentication APIs}}
 
{{DEFAULTSORT:Password Authentication Protocol}}
[[Category:Password authentication]]
[[Category:Internet protocols]]
Retrieved from "https://en.wikipedia.org/wiki/Password_Authentication_Protocol"