Authentication Protocols
   HOME

TheInfoList



OR:

An authentication protocol is a type of computer
communications protocol A communication protocol is a system of rules that allows two or more entities of a communications system to transmit information via any kind of variation of a physical quantity. The protocol defines the rules, syntax, semantics and synchr ...
or
cryptographic protocol A security protocol (cryptographic protocol or encryption protocol) is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods, often as sequences of cryptographic primitives. A protocol describe ...
specifically designed for transfer of authentication data between two entities. It allows the receiving entity to authenticate the connecting entity (e.g. Client connecting to a Server) as well as authenticate itself to the connecting entity (Server to a client) by declaring the type of information needed for authentication as well as syntax. It is the most important layer of protection needed for secure communication within computer networks.


Purpose

With the increasing amount of trustworthy information being accessible over the network, the need for keeping unauthorized persons from access to this data emerged. Stealing someone's identity is easy in the computing world - special verification methods had to be invented to find out whether the person/computer requesting data is really who he says he is. The task of the authentication protocol is to specify the exact series of steps needed for execution of the authentication. It has to comply with the main protocol principles: # A Protocol has to involve two or more parties and everyone involved in the protocol must know the protocol in advance. # All the included parties have to follow the protocol. # A protocol has to be unambiguous - each step must be defined precisely. # A protocol must be complete - must include a specified action for every possible situation. An illustration of password-based authentication using simple authentication protocol: Alice (an entity wishing to be verified) and Bob (an entity verifying Alice's identity) are both aware of the protocol they agreed on using. Bob has Alice's password stored in a database for comparison. # Alice sends Bob her password in a packet complying with the protocol rules. # Bob checks the received password against the one stored in his database. Then he sends a packet saying "Authentication successful" or "Authentication failed" based on the result. This is an example of a very basic authentication protocol vulnerable to many threats such as
eavesdropping Eavesdropping is the act of secretly or stealthily listening to the private conversation or communications of others without their consent in order to gather information. Etymology The verb ''eavesdrop'' is a back-formation from the noun ''eaves ...
,
replay attack A replay attack (also known as a repeat attack or playback attack) is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary wh ...
,
man-in-the-middle In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...
attacks, dictionary attacks or
brute-force attacks In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct ...
. Most authentication protocols are more complicated in order to be resilient against these attacks.


Types


Authentication protocols developed for PPP Point-to-Point Protocol

Protocols are used mainly by Point-to-Point Protocol (PPP) servers to validate the identity of remote clients before granting them access to server data. Most of them use a password as the cornerstone of the authentication. In most cases, the password has to be shared between the communicating entities in advance.


PAP - Password Authentication Protocol

Password Authentication Protocol Password Authentication Protocol (PAP) is a password A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords w ...
is one of the oldest authentication protocols. Authentication is initialized by the client sending a packet with credentials (username and password) at the beginning of the connection, with the client repeating the authentication request until acknowledgement is received. It is highly insecure because credentials are sent " in the clear" and repeatedly, making it vulnerable even to the most simple attacks like
eavesdropping Eavesdropping is the act of secretly or stealthily listening to the private conversation or communications of others without their consent in order to gather information. Etymology The verb ''eavesdrop'' is a back-formation from the noun ''eaves ...
and
man-in-the-middle In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...
based attacks. Although widely supported, it is specified that if an implementation offers a stronger authentication method, that method ''must'' be offered before PAP. Mixed authentication (e.g. the same client alternately using both PAP and CHAP) is also not expected, as the CHAP authentication would be compromised by PAP sending the password in plain-text.


CHAP - Challenge-handshake authentication protocol

The authentication process in this protocol is always initialized by the server/host and can be performed anytime during the session, even repeatedly. Server sends a random string (usually 128B long). The client uses password and the string received as parameters for MD5 hash function and then sends the result together with username in plain text. Server uses the username to apply the same function and compares the calculated and received hash. An authentication is successful or unsuccessful.


EAP - Extensible Authentication Protocol

EAP was originally developed for PPP(Point-to-Point Protocol) but today is widely used in
IEEE 802.3 IEEE 802.3 is a working group and a collection standards defining the physical layer and data link layer's media access control (MAC) of wired Ethernet. The standards are produced by the working group of Institute of Electrical and Electronics Eng ...
,
IEEE 802.11 IEEE 802.11 is part of the IEEE 802 set of local area network (LAN) technical standards, and specifies the set of media access control (MAC) and physical layer (PHY) protocols for implementing wireless local area network (WLAN) computer commun ...
(WiFi) or
IEEE 802.16 IEEE 802.16 is a series of wireless broadband standards written by the Institute of Electrical and Electronics Engineers (IEEE). The IEEE Standards Board established a working group in 1999 to develop standards for broadband for wireless metrop ...
as a part of
IEEE 802.1x IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. IEEE 802.1X defines t ...
authentication framework. The latest version is standardized in RFC 5247. The advantage of EAP is that it is only a general authentication framework for client-server authentication - the specific way of authentication is defined in its many versions called EAP-methods. More than 40 EAP-methods exist, the most common are: * EAP-MD5 *
EAP-TLS Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in , which made obsolete, and is updated by . EAP is an authentication framework for providing the transport ...
*
EAP-TTLS Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in , which made obsolete, and is updated by . EAP is an authentication framework for providing the transport ...
*
EAP-FAST Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in , which made obsolete, and is updated by . EAP is an authentication framework for providing the transport ...
*EAP-
PEAP PEAP might be an acronym or abbreviation for: * Protected Extensible Authentication Protocol, a security protocol in computer security * Personal Egress Air Packs Personal Egress Air Packs, or PEAPs, were devices on board a Space Shuttle that p ...


AAA architecture protocols (Authentication, Authorization, Accounting)

Complex protocols used in larger networks for verifying the user (Authentication), controlling access to server data (Authorization) and monitoring network resources and information needed for billing of services (Accounting).


TACACS Terminal Access Controller Access-Control System (TACACS, ) refers to a family of related Authentication protocol, protocols handling remote authentication and related services for network access control through a centralized server. The original T ...
,
XTACACS Terminal Access Controller Access-Control System (TACACS, ) refers to a family of related protocols handling remote authentication and related services for network access control through a centralized server. The original TACACS protocol, which dat ...
and
TACACS+ Terminal Access Controller Access-Control System (TACACS, ) refers to a family of related protocols handling remote authentication and related services for network access control through a centralized server. The original TACACS protocol, which dat ...

The oldest AAA protocol using IP based authentication without any encryption (usernames and passwords were transported as plain text). Later version XTACACS (Extended TACACS) added authorization and accounting. Both of these protocols were later replaced by TACACS+. TACACS+ separates the AAA components thus they can be segregated and handled on separate servers (It can even use another protocol for e.g. Authorization). It uses
TCP TCP may refer to: Science and technology * Transformer coupled plasma * Tool Center Point, see Robot end effector Computing * Transmission Control Protocol, a fundamental Internet standard * Telephony control protocol, a Bluetooth communication s ...
(Transmission Control Protocol) for transport and encrypts the whole packet. TACACS+ is Cisco proprietary.


RADIUS In classical geometry, a radius ( : radii) of a circle or sphere is any of the line segments from its center to its perimeter, and in more modern usage, it is also their length. The name comes from the latin ''radius'', meaning ray but also the ...

Remote Authentication Dial-In User Service Remote may refer to: Arts, entertainment, and media * Remote (1993 film), ''Remote'' (1993 film), a 1993 movie * Remote (2004 film), ''Remote'' (2004 film), a Tamil-language action drama film * Remote (album), ''Remote'' (album), a 1988 album by ...
(RADIUS) is a full AAA protocol commonly used by
ISP An Internet service provider (ISP) is an organization that provides services for accessing, using, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, non-profit, or otherwise private ...
. Credentials are mostly username-password combination based, it uses
NAS Nas (born 1973) is the stage name of American rapper Nasir Jones. Nas, NaS, or NAS may also refer to: Aviation * Nasair, a low-cost airline carrier and subsidiary based in Eritrea * National Air Services, an airline in Saudi Arabia ** Nas Air ( ...
and UDP protocol for transport.


DIAMETER In geometry, a diameter of a circle is any straight line segment that passes through the center of the circle and whose endpoints lie on the circle. It can also be defined as the longest chord of the circle. Both definitions are also valid for ...

Diameter (protocol) Diameter is an authentication, authorization, and accounting protocol for computer networks. It evolved from the earlier RADIUS protocol. It belongs to the application layer protocols in the internet protocol suite. ''Diameter Applications'' e ...
evolved from RADIUS and involves many improvements such as usage of more reliable TCP or SCTP transport protocol and higher security thanks to
TLS TLS may refer to: Computing * Transport Layer Security, a cryptographic protocol for secure computer network communication * Thread level speculation, an optimisation on multiprocessor CPUs * Thread-local storage, a mechanism for allocating vari ...
.


Other


Kerberos (protocol) Kerberos () is a computer-network authentication protocol that works on the basis of ''tickets'' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily a ...

Kerberos is a centralized network authentication system developed at MIT and available as a free implementation from MIT but also in many commercial products. It is the default authentication method in
Windows 2000 Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was the direct successor to Windows NT 4.0, and was Software release life cycle#Release to manufacturing (RTM), releas ...
and later. The authentication process itself is much more complicated than in the previous protocols - Kerberos uses
symmetric key cryptography Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between th ...
, requires a
trusted third party In cryptography, a trusted third party (TTP) is an entity which facilitates interactions between two parties who both trust the third party; the Third Party reviews all critical transaction communications between the parties, based on the ease of c ...
and can use
public-key cryptography Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
during certain phases of authentication if need be.


List of various other authentication protocols

*
AKA Aka, AKA or a.k.a. may refer to: * "Also known as", used to introduce an alternative name Languages * Aka language (Sudan) * Aka language, in the Central African Republic * Hruso language, in India, also referred to as Aka * a prefix in the n ...
*
Basic access authentication In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent (e.g. a web browser) to provide a user name and password when making a request. In basic HTTP authentication, a request contains a header field i ...
* CAVE-based authentication * CRAM-MD5 *
Digest Digest may refer to: Biology *Digestion of food *Restriction digest Literature and publications *''The Digest'', formerly the English and Empire Digest *Digest size magazine format * ''Digest'' (Roman law), also known as ''Pandects'', a digest ...
*
Host Identity Protocol The Host Identity Protocol (HIP) is a host identification technology for use on Internet Protocol (IP) networks, such as the Internet. The Internet has two main name spaces, IP addresses and the Domain Name System. HIP separates the end-point ide ...
(HIP) * LAN Manager *
NTLM In a Windows network, NT (New Technology) LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft L ...
, also known as NT LAN Manager * OpenID protocol *
Password-authenticated key agreement In cryptography, a password-authenticated key agreement method is an interactive method for two or more parties to establish cryptographic keys based on one or more party's knowledge of a password. An important property is that an eavesdropper or m ...
protocols * Protocol for Carrying Authentication for Network Access (PANA) * Secure Remote Password protocol (SRP) * RFID-Authentication Protocols *
Woo Lam 92 (protocol) Woo, WoO, WOO, W.O.O. and variants may refer to: People Woo or Wu, romanization of several East Asian names: * Hu (surname): 胡, 瓠, 護, 戶, 扈, 虎, 呼, 忽, 斛 * Wu (surname): 吳, 伍, 武, 仵, 烏, 鄔, 巫 * Ng (name): 吳, 伍 * Woo ...
*
SAML Security Assertion Markup Language (SAML, pronounced ''SAM-el'', ) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based m ...


References

{{DEFAULTSORT:Authentication Protocol Computer access control protocols