Revision as of 07:53, 15 August 2019 edit Absgomz66 (talk \| contribs) 29 edits →Purpose: absgomz66 Tag: Visual edit ← Previous edit		Revision as of 08:52, 15 August 2019 edit undo John of Reading (talk \| contribs) Autopatrolled, Extended confirmed users, Pending changes reviewers 787,576 edits m Reverted 1 edit by Absgomz66 (talk) to last revision by Wdpp (TW) Tag: Undo Next edit →
Line 1: {{course assignment \| course = Education Program:University College London/MSIN1003 Information World (Autumn 2015) \| term = 2015 Q3}} An '''authentication protocol''' is a type of computer [[communications protocol]] or [[cryptographic ~~protocol\|cryptography~~ protocol]] specifically designed for transfer of [[authentication]] data between two entities. It allows the receiving entity to authenticate the connecting entity (e.g. Client connecting to a Server) as well as authenticate itself to the connecting entity (Server to a client) by declaring the type of information needed for authentication as well as syntax.<ref>{{cite web\|url = https://www.sans.org/reading-room/whitepapers/authentication/overview-authentication-methods-protocols-118\|title = An Overview of Different Authentication Methods and Protocols\|date = 23 October 2001\|accessdate = 31 October 2015\|website = www.sans.org\|publisher = SANS Institute\|last = Duncan\|first = Richard}}</ref> It is the most important layer of protection needed for secure communication within computer networks. ==Purpose == Line 18: ==Types== ===Authentication protocols developed for ~~OPP~~PPP [[Point-to-Point Protocol]]=== Protocols are used mainly by [[Point-to-Point Protocol]] (~~OPP~~PPP) servers to validate the identity of remote clients before granting them access to server data. Most of them use a password as the cornerstone of the authentication. In most cases, the password has to be shared between the communicating entities in advance.<ref>{{cite web\|url = http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.45.6423&rep=rep1&type=pdf\|title = Public-key cryptography and password protocols\|date = \|accessdate = 31 October 2015\|website = citeseerx.ist.psu.edu\|publisher = \|last = Halevi\|first = Shai}}</ref> [[File:PAP 2way handshake.png\|thumb\|PAP 2-way handshake scheme\|461x461px]] Line 29: The authentication process in this protocol is always initialized by the server/host and can be performed anytime during the session, even repeatedly. Server sends a random string (usually 128B long). The client uses password and the string received as parameters for MD5 hash function and then sends the result together with username in plain text. Server uses the username to apply the same function and compares the calculated and received hash. An authentication is successful or unsuccessful. ====~~RAP~~EAP - Extensible Authentication Protocol==== ~~RAP~~EAP was originally developed for ~~OPP~~PPP(Point-to-Point Protocol) but today is widely used in [[IEEE 802.3]], [[IEEE 802.11]](WiFi) or [[IEEE 802.16]] as a part of [[IEEE 802.1x]] authentication framework. The latest version is standardized in RFC 5247. The advantage of ~~RAP~~EAP is that it is only a general authentication framework for client-server authentication - the specific way of authentication is defined in its many versions called ~~RAP~~EAP-methods. More than 40 ~~RAP~~EAP-methods exist, the most common are: [[EAP-MD5]] [[EAP-TLS~~\|FLEAPITS~~]] [[EAP-TTLS]] [[EAP~~-FAST\|RAP~~-FAST]] EAP-[[Protected Extensible Authentication Protocol\|PEAP]] APPEASE ===AAA architecture protocols (Authentication, Authorization, Accounting)=== Line 42: Complex protocols used in larger networks for verifying the user (Authentication), controlling access to server data (Authorization) and monitoring network resources and information needed for billing of services (Accounting). ====[[TACACS~~\|TACTICS~~]], [[XTACACS~~\|TACTICS~~]] and [[TACACS~~+\|TACTICS~~+]]==== The oldest AAA protocol using IP based authentication without any encryption (usernames and passwords were transported as plain text). Later version ~~TACTICS~~XTACACS (Extended ~~TACTICS~~TACACS) added authorization and accounting. Both of these protocols were later replaced by ~~TACTICS~~TACACS+. ~~TACTICS~~TACACS+ separates the AAA components thus they can be segregated and handled on separate servers (It can even use another protocol for e.g. Authorization). It uses [[Transmission Control Protocol\|~~PCT~~TCP]] (Transmission Control Protocol) for transport and encrypts the whole packet. ~~TACTICS~~TACACS+ is Cisco proprietary. ====[[RADIUS]]==== [[Remote Authentication Dial-In User Service]] (RADIUS) is a full [[AAA (computer security)\|AAA protocol ]] commonly used by [[ISP]]. Credentials are mostly username-password combination based, it uses [[Network access server\|~~ANS~~NAS]] and [[User Datagram Protocol\|UPUDP]] protocol for transport.<ref>{{cite web\|url = http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-1/user/guide/acsuserguide/rad_tac_phase.html\|title = AAA protocols\|date = \|accessdate = 31 October 2015\|website = www.cisco.com\|publisher = CISCO\|last = \|first = }}</ref> ====[[DIAMETER]]==== [[Diameter (protocol)]] evolved from RADIUS and involves many improvements such as usage of more reliable ~~PCT~~TCP or ~~SCRIPT~~SCTP transport protocol and higher security thanks to [[Transport Layer Security\|TSTLS]].<ref>{{cite web\|url = http://www.ibm.com/developerworks/wireless/library/wi-diameter/\|title = Introduction to Diameter\|date = 24 January 2006\|accessdate = 31 October 2015\|website = www.ibm.com\|publisher = IBM\|last = Liu\|first = Jeffrey}}</ref> ===Other=== [[File:Kerberos sch en.png\|thumb\|321x321px\|~~Kerosene~~Kerberos authentication scheme]] ====[[Kerberos ~~(protocol)\|Kerosene~~ (protocol)]]==== ~~Kerosene~~Kerberos is a centralized network authentication system developed at [[MIT]] and available as a free implementation from MIT but also in many commercial products. It is the default authentication method in [[Windows 2000]] and later. The authentication process itself is much more complicated than in the previous protocols - ~~Kerosene~~Kerberos uses [[symmetric key cryptography]], requires a [[trusted third party]] and can use [[public-key cryptography]] during certain phases of authentication if need be.<ref>{{cite web\|url = http://web.mit.edu/kerberos/\|title = Kerberos: The Network Authentication Protocol\|date = 10 September 2015\|accessdate = 31 October 2015\|website = web.mit.edu\|publisher = MIT Kerberos\|last = \|first = }}</ref><ref>{{Cite book\|title = Applied Cryptography\|last = Schneier\|first = Bruce\|publisher = John Wiley & Sons,Inc.\|year = 1997\|isbn = 0-471-12845-7\|___location = New York\|pages = 52–74}}</ref><ref>{{cite web\|url = http://srp.stanford.edu/history.html\|title = Protocols of the Past\|date = \|accessdate = 31 October 2015\|website = srp.stanford.edu\|publisher = Stanford University\|last = \|first = }}</ref> ==List of various other authentication protocols== Line 66: * [[Host Identity Protocol]] (HIP) * [[LAN Manager]] * [[NTLM~~\|MANTLE~~]], also known as NT LAN Manager * [[OpenID~~\|Open Id~~]] protocol * [[Password-authenticated key agreement]] protocols * [[Protocol for Carrying Authentication for Network Access]] (~~PANS~~PANA) * [[Secure Remote Password protocol]] (~~RPS~~SRP) * [[RFID~~-Authentication Protocols\|RID~~-Authentication Protocols]] * [[Woo Lam 92 (protocol)]] * [[SAML~~\|LAMS~~]] ==References==

Authentication protocol: Difference between revisions