Giuseppe Bianchi Lecture 2: Basic PPP authentication mechanisms PAP, CHAP, +++ Recommended reading: RFC 1334, October 1992; RFC 1994, August 1996 Wiley.

Slides:



Advertisements
Similar presentations
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Advertisements

PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 Chapter 12 Point-to-Point Access: PPP.
Rick Graziani PPP authentication protocols 1. Link establishment - (LCPs) 2. Authentication - Optional (LCPs) 3. Link quality determination.
S4C4 PPP. Protocols Point to Point Protocol Link Control Protocol Network Control Program Password Authentication Protocol Challenge Handshake Authentication.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Point-to-Point Protocol
Gursharan Singh Tatla SLIP and PPP 27-Mar
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 4 Point to Point Protocol (PPP)
What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.
CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Semester 4 - Chapter 4 – PPP WAN connections are controlled by protocols In a LAN environment, in order to move data between any two nodes or routers two.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
Ariel Eizenberg PPP Security Features Ariel Eizenberg
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
IEEE Wireless Local Area Networks (WLAN’s).
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Point to Point Protocol Operation. Point to Point Protocol Protocol Layers of PPP –Physical Layer –Data Link Layer – HDLC derivative –Other protocols.
PPP (Point to Point protocol).  On WAN connection, the protocol depends on the WAN technology and communicating equipment:  Examples:  HDLC –  The.
K. Salah 1 Chapter 12 Point-to-Point Access: PPP.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.
Georgy Melamed Eran Stiller
PPP Protocol PPP Stack -Establish a link (Link Control Protocol) -Authenticate Parties involved (Authentication Protocols) -Carry Network Layer (Network.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,
Point-to-Point Protocol (PPP) Security Connecting to remote access servers (RASs) PPP authentication PPP confidentiality Point-to-Point Tunneling Protocol.
As first introduced in Chapter 2, “Wide Area Network (WAN) Technologies,” PPP is a stan- dard for using point-to-point network links that provides the.
Point-to-Point Access: PPP. In a network, two devices can be connected by a dedicated link or a shared link. In the first case, the link can be used by.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Strong Password Protocols
 It defines the format of the frame to be exchanged between devices.  It defines how two devices can negotiate the establishment of the link and the.
PPP (Point to Point Protocol)
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Mobile and Wireless Communication Security By Jason Gratto.
Wireless and Security CSCI 5857: Encoding and Encryption.
Doc.: IEEE /TBD Submission November 2001 Warren Barkley, Tim Moore, Bernard Aboba/Microsoft IEEE 802.1X and RADIUS Security Bernard Aboba Ashwin.
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
Robert E. Meyers CCNA, CCAI Youngstown State University Cisco Regional Academy Instructor Cisco Networking Academy Program Semester 4, v Chapter.
Copyright Kenneth M. Chipps Ph.D. PPP Last Update
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Prepared by They Yu Shu Lee Ern Yu.  Motivation  Previous Work  Remaining Issues  Improvement.
Point-to-Point Access: PPP PPP Between Routers  Used for Point-to-Point Connections only  Used as data link control (encapsulates network layer.
Lecture 11: Strong Passwords
Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
Lesson 1: Local Area Network (LAN) Technologies LAN encapsulations Ethernet Token Ring FDDI IEEE
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
4 Semester 4 CHAPTER 4 REVIEW JEOPARDY S2C04 Jeopardy Review.
Cody Brookshear Andy Borman
SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
PPP Configuration.
Giuseppe Bianchi Lecture 2: Basic PPP authentication mechanisms PAP, CHAP, +++ Recommended reading: RFC 1334, October 1992; RFC 1994, August 1996 Wiley.
Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.
Cryptography CSS 329 Lecture 13:SSL.
1 Example security systems n Kerberos n Secure shell.
Point-Point Protocol (PPP) by William F. Widulski.
PPP Protocol.
PPP Protocol.
Lesson 6 Point to Point Protocol
PPP – Point to Point Protocol
PPP PROTOCOL The First semester
ZyXEL Communications Corporation
Authentication Protocol
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
PPP Protocol.
Presentation transcript:

Giuseppe Bianchi Lecture 2: Basic PPP authentication mechanisms PAP, CHAP, +++ Recommended reading: RFC 1334, October 1992; RFC 1994, August 1996 Wiley AAA book, chapter 2 (parts)

Giuseppe Bianchi Authentication in PPP  Optional phase  After link establishment  after or during link quality determination (if present)  Authentication mechanism negotiated during link establishment  Option sent in configuration request PPP msg

Giuseppe Bianchi Basic PPP authentication  LCP option #3 = authentication protocol  Two basic authentication mechanisms initially considered  PAP: Password Authentication Protocol  CHAP: Challenge Handshake Authentication Protocol Type 1 byte 03 Type 1 byte 03 Length 1 byte >=4 Length 1 byte >=4 Auth-protocol 2 byte c023=PAP, c223=CHAP Auth-protocol 2 byte c023=PAP, c223=CHAP data 0+ bytes … data 0+ bytes … Specific extra info needed to the considered auth protocol Type 1 byte 03 Type 1 byte 03 Length 1 byte 04 Length 1 byte 04 Auth-protocol 2 byte c023=PAP Auth-protocol 2 byte c023=PAP No extra info Type 1 byte 03 Type 1 byte 03 Length 1 byte 05 Length 1 byte 05 Auth-protocol 2 byte c223=CHAP Auth-protocol 2 byte c223=CHAP data 1 byte 05=MD5 data 1 byte 05=MD5 Extra info: Hash Function Basic = MD5

Giuseppe Bianchi Auth direction  Independently done on both directions!  Authentication may differ  or may apply to a single direction only  Typically NAS requires user to authenticate  User does not require NAS to authenticate  Authenticator = the end of the link that requires the other peer to perform authentication  Authenticator: sends the Configure-Request, specifying the authentication protocol to be used  Both sides act in turn as authenticators in the case of mutual authentication User NAS Configure-Ack (auth protocol = XXX) Configure-Request (auth protocol = XXX) user will AUTH with XXX against NAS Authenticator

Giuseppe Bianchi PAP Password Authentication Protocol

Giuseppe Bianchi Password Authentication Protocol  Simplest possible mechanism  Based on the a-priori knowledge, by the authenticator, of the (user_id, password) pair specified during contractual agreement  Two-way handshake Authenticate-Request (User_ID,Passwd) Authenticate-Ack Authenticate-Nak Remote User Authenticator User Database … … UID passwd … …

Giuseppe Bianchi PAP procedure  Starts when link is established  Authenticating peer repeatedly sends Id/Password pair, until:  An ACK is received  A NACK is received and/or the connection is terminated  PAP is a weak authentication method  Passwords sent “in clear”  No protection from playback  No protection from repeated trial and error attacks  Peer is in control of the frequency and timing of the attempts.

Giuseppe Bianchi PAP Authentication Protocol option User NAS Configure-Ack (auth protocol option 03=PAP) Configure-Request (auth protocol option 03=PAP) Type 03 Type 03 Length 04 Length 04 Authentication-protocol C023 (PAP) Authentication-protocol C023 (PAP) There is no data field In the option

Giuseppe Bianchi PAP packet format: auth-request User NAS PAP Authenticate-Ack (code 2) or PAP Authenticate-Nak (code 3) PAP Authenticate-Request (code 1) Flag Address Address Control Control Protocol 0xC023 (PAP) Protocol 0xC023 (PAP) Information FCS Flag Code 1 byte 01 Code 1 byte 01 Identifier 1 byte Identifier 1 byte Length 2 bytes Length 2 bytes ID len 1 byte ID len 1 byte To match request/reply ID *** ID *** PW len 1 byte PW len 1 byte PW *** PW ***

Giuseppe Bianchi Auth-request example (real capture) … c c e d 75 6a 6e PAP Code 01 Auth-req ID=09 Len=32 bytes (0x0020) User id = 18 bytes e u t e l e 2. i t Password = 8 bytes 9 d w c - u j n ALL UID+PW IN CLEAR!!!!

Giuseppe Bianchi PAP packet format: auth-Ack/Nak User NAS PAP Authenticate-Ack (code 2) or PAP Authenticate-Nak (code 3) PAP Authenticate-Request (code 1) Flag Address Address Control Control Protocol 0xC023 (PAP) Protocol 0xC023 (PAP) Information FCS Flag Code 1 byte =2 or 03 Code 1 byte =2 or 03 Identifier 1 byte Identifier 1 byte Length 2 bytes Length 2 bytes Msg len 1 byte Msg len 1 byte To match request/reply msg *** msg *** Message field: 0+ bytes its contents are Implementation-dependent Intended to be human readable (ASCII)

Giuseppe Bianchi CHAP Challenge Handshake Authentication Protocol

Giuseppe Bianchi Approach  Three-way handshake  Challenge – Response – Success or Failure  Uses a Random Challenge, with a cryptographically hashed Response which depends upon the Challenge and a secret key  Secret key never transmitted in clear  Much more safer than PAP  Conceptually identical to the approach currently adopted into actual cellular networks  GSM, UMTS

Giuseppe Bianchi Three-way handshake 2) Username,Hash(Challenge+Pw+…) 3) Success, Failure 1) Challenge Remote User Authenticator Three-way handshake performed initially, after link establishment But it MAY be repeated ANYTIME at RANDOM TIMES after the link is established With new (different) challenges!!

Giuseppe Bianchi CHAP pros & cons  Pros:  Protection against playback attack  Incrementally changing identifier  Variable challenge value  Repeated challenges  Authentication may be repeated over connection time (unlike PAP where it is performed only once at start)  intended to limit the time of exposure to any single attack  Authenticator controls frequency and timing of the challenges  CHAP does not allow a peer to attempt authentication without a challenge  Cons:  Secret must be available in plaintext form  Cannot use irreversibly encrypted password databases  Hard scalability in large installations  every possible secret must be maintained at both ends of the link

Giuseppe Bianchi CHAP selection User NAS Configure-Ack (auth protocol option 03=CHAP) Configure-Request (auth protocol option 03=CHAP) Type 03 Type 03 Length 05 Length 05 Authentication-protocol C223 (CHAP) Authentication-protocol C223 (CHAP) Similar to PAP: during configure-Request algorithm 05 (MD5) algorithm 05 (MD5) The only required hashing algorithm, in a conforming implementation, is MD5 (but CHAP protocol open to other possible hashing algorithms as well)

Giuseppe Bianchi CHAP Challenge  Identifier: MUST change at each new challenge  Value: randomly generated - must be designed to be  Unique & different per each challenge  To avoid replay attacks  Not predictable  Value size: 1+ bytes  In principle arbitrary and independent of the hashing algorithm used  Name field: identification of the system transmitting the packet Code 1 byte 01 Code 1 byte 01 Identifier 1 byte Identifier 1 byte Length 2 bytes Length 2 bytes Ch.Len 1 byte Ch.Len 1 byte Challenge *** Challenge *** Name *** Name *** PPP Challenge Handshake Authentication Protocol (REAL TRACE EXAMPLE) Code: 0x 01 (Challenge) Identifier: 0x 01 Length: 0x 00 1f (31 bytes) Value Size: 0x 10 (16 bytes) Value: 0x c9 b3 30 a6 f8 6f 52 ff 67 7f 07 3d 15 f5 Name: MILZ-LNS-9 (10 bytes)

Giuseppe Bianchi Response computation  One-Way Hash function  Transform an arbitrary text size into an alphanumeric sequence of given size (digest)  MD5 digest = 16 bytes  Response value: one-way hash calculated over:  Identifier, concatenated with the “secret”, concatenated with the challenge value Original textDigest One-way Hash AgjkY9FgjKhx identifierSecret keyChallenge + + Code 1 byte 02 Code 1 byte 02 Identifier 1 byte Identifier 1 byte Length 2 bytes Length 2 bytes Val len 1 byte Val len 1 byte Value *** Value *** Name *** Name *** PPP Challenge Handshake Authentication Protocol (REAL TRACE EXAMPLE) Code: 0x 02 (Challenge) Identifier: 0x 01 Length: 0x (39 bytes) Value Size: 0x 10 (16 bytes) Value: 0x 4b c3 2a b5 21 f0 29 9b a e4 ae Name: (18 bytes) “secret” size:  At least 1 byte  Typically more (a “normal” password)  Preferable: at least 16 bytes (MD5 digest size)

Giuseppe Bianchi Success/Failure  Authenticator in turn computes the digest  It has identifier, challenge, and the secret key  In fact there is the user id repeated in the “name” field (password from DB lookup)  And compares with that received  If OK, send back Success (Code 03)  If NO, send back Failure (Code 04) and terminate link  Message: optional field, intended for human Code 1 byte 03 or 04 Code 1 byte 03 or 04 Identifier 1 byte Identifier 1 byte Length 2 bytes Length 2 bytes Message *** Message *** PPP Challenge Handshake Authentication Protocol (REAL TRACE EXAMPLE) Code: 0x 03 (Challenge) Identifier: 0x 01 Length: 0x (4 bytes) [no message in the considered inmplementation!]

Giuseppe Bianchi Password based Authentication: Extensions

Giuseppe Bianchi Passwd protection in DB? 1) UID, passwd 2) Ack/Nack Remote User Authenticator User Database … … UID passwd … … Passwd DB in clear… Significant vulnerability!

Giuseppe Bianchi Passwd protection in DB: storing passwd hashes! 1) UID, passwd 2) Ack/Nack Remote User Authenticator User Database … … UID H(passwd) … … Authenticator: 1) receives UID & passwd (clear text) 2) computes hash H(passwd) - any locally used Hash OK; Linux = MD5 3) compares with DB entry

Giuseppe Bianchi Dictionary attack…  Many users use predictable passwd  Dictionary attack:  Hashing does not help  Will see in a dedicated laboratory!

Giuseppe Bianchi One-time passwd  Is it possible to extend PAP so that user changes passwd at every (successful) attempt?  If it is, would prevent playback attacks UID=“Flavia”, passwd=“087654” OK UID=“Flavia”, passwd=“087654” NO!!

Giuseppe Bianchi One-time passwd: trivial… but… UID=“Flavia”, passwd=“087654” OK User Database … … Flavia … …… …  N (large) passwd per user  users  HUGE DB!! Not viable

Giuseppe Bianchi Idea: hash chains One way hash Given this value, you can trivially compute next one But given this value, you cannot compute previous one P[0] = starting point P[i] = H(P[i-1]) P[N] = last value

Giuseppe Bianchi One-time passwd: practical P[0] offline Compute P[0]…P[N] Compute & store Flavia  P[N+1] UID=“Flavia”, passwd= P[N] If H(P[N])==P[N+1] OK; store P[N] UID=“Flavia”, passwd= P[N-1] … … … UID=“Flavia”, passwd= P[i-1] Stored P[i] If H(P[i-1])==P[i] OK; store P[i-1]

Giuseppe Bianchi One-time passwd benefits  Passwd in clear = OK  Authenticator only stores USED passwd  no way to predict next one (1-way hash)  Authenticator only stores 1 value  Same complexity as in ordinary PAP  Issues:  Large N to prevent frequent renegotiation  Client size = vulnerable (must store passwd seed or whole vector)

Giuseppe Bianchi Issues with CHAP

Giuseppe Bianchi Basic CHAP vulnerability  Authenticator MUST store passwd in clear!  Otherways no way to compute H(id, pw, challenge)  Authenticator storage = straightforward target for attack!  Even worse than PAP!! CHALLENGE = RESPONSE = Flavia, H(id | mypass | ) ACK or NACK User Database … … flavia mypass … …

Giuseppe Bianchi Idea: “salt” CHALLENGE = ; SALT = 9876 RESPONSE = Flavia, H(id | H(9876,mypass) | ) ACK or NACK User Database: SALT=9876 … … flavia H(9876,mypass) … …  Attacker may only access to “salted” passwd  Different salt for different authenticator servers  breaking one != breaking all  Refresh DB periodically  Someone must take care of this… more later SALT: Same idea can be used also in PAP (of course)

Giuseppe Bianchi CHAP and mutual authentication /1 ID=2; CHALLENGE = RESP: Flavia, H(ID=2, sharedsecret, ) ACK ID=3; CHALLENGE = RESP: servername, H(ID=3, sharedsecret, ) ACK Usage of a shared Secret… good idea, Easy to manage! Good idea??

Giuseppe Bianchi CHAP and mutual authentication /2 Reflection attack ID=2; CHALLENGE = RESP: client, H(ID=2, sharedsecret, ) ACK ID=2; CHALLENGE = RESP: servername, H(ID=2, sharedsecret, ) ACK VERY risky!!. Attacker:  replays server challenge  accept computed resp  uses resp to authenticate!! Without any info on real client !!

Giuseppe Bianchi Mutual authentication with Challenge-Response (just some hints… no full analysis)

Giuseppe Bianchi Basic idea Boss, C1 Flavia, C2, H(secret, C1) Boss, H(secret, C2) C1!=C2 C2!=C1 Flavia shows knowledge of secret over C1 Boss shows knowledge of secret over C2

Giuseppe Bianchi Reflection!  Does not work Boss, C1 Flavia, C2, H(secret, C1) Boss, H(secret, C2) C1!=C2 Boss, C2 Flavia, C3, H(secret, C2) C2!=C1

Giuseppe Bianchi What if reflection is prevented by protocol status?  Attacker may use “other” party! Boss, C1 Flavia, C2, H(secret, C1) Boss, H(secret, C2) Flavia, C2 Boss, C3, H(secret, C2)

Giuseppe Bianchi Let’s try to fix this Boss, C1 Flavia, C2, H(secret, C1, C2) Boss, C3, H(secret, C2, C3) Chaining challenges! Add dependency between challenges in same handshake

Giuseppe Bianchi Does not work Boss, C1 Flavia, C2, H(secret, C1, C2) Boss, C3, H(secret, C2, C3) Boss, C2 Flavia, C3, H(secret, C2, C3) Too many nonces!!

Giuseppe Bianchi Minimize nonces Boss, C1 Flavia, C2, H(secret, C1, C2) Boss, H(secret, C2, C1) Same challenges, but different values (order!) No reflection possible anymore

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.