Presentation is loading. Please wait.

Presentation is loading. Please wait.

Point-to-Point Protocol (PPP) Security Connecting to remote access servers (RASs) PPP authentication PPP confidentiality Point-to-Point Tunneling Protocol.

Similar presentations


Presentation on theme: "Point-to-Point Protocol (PPP) Security Connecting to remote access servers (RASs) PPP authentication PPP confidentiality Point-to-Point Tunneling Protocol."— Presentation transcript:

1 Point-to-Point Protocol (PPP) Security Connecting to remote access servers (RASs) PPP authentication PPP confidentiality Point-to-Point Tunneling Protocol (PPTP)

2 PPP Point-to-Point Protocol (PPP) –Data link layer protocol –Created for dialing into a network’s remote access server (RAS) Then get access to internal resources –Also used for dialing into an ISP PPP Connection RAS

3 PPP Authentication –Optional in PPP –If done, done during authentication phase of PPP’s initial negotiation process PPP Connection RAS I am X

4 PPP PPP offers several authentication options –Password Authentication Protocol (PAP) –Challenge-Response Handshake Protocol (CHAP) –MS-CHAP—Microsoft version of CHAP –Extensible Authentication Protocol (EAP) Not equally strong

5 PPP Password Authentication Protocol (PAP) –Applicant sends verifier one or more PAP authentication request messages giving applicant’s user name and password –Stops sending when verifier sends an authentication-ACK message or sends a termination message RAS PAP Auth RQ PAP Auth RQ PAP Auth ACK

6 PPP Password Authentication Protocol (PAP) –Password is sent in the clear (without confidentiality), so PAP is dangerous RAS PAP Auth RQ Contains User’s Unencrypted Password

7 PPP Password Authentication Protocol (PAP) –Authentication is done only once, at the beginning of the session –If session is taken over by an impostor, no check of authentication

8 PPP (CHAP) Challenge-Response Handshake Protocol –Verifier (RAS) sends CHAP request- authentication message –Applicant must respond with a response message RAS CHAP ARQ message CHAP Resp message

9 PPP CHAP –This may be done several times per session for ongoing authentication to ensure that the session has not been hijacked (taken over by an imposter)

10 PPP CHAP –The applicant and verifier have a shared secret –Applicant adds shared secret to the request message, then hashes the combination to produce the response message CHAP Authentication Request Message CHAP Authentication Response Message Shared Secret Hash

11 PPP CHAP –Verifier adds the shared secret to its request message, then hashes the combination –If this matches the transmitted response message, applicant knows the shared secret and so is authenticated Original Authentication Request Message Computed Authentication Response Message Shared Secret Hash Transmitted Authentication Response Message

12 PPP MS-CHAP –Microsoft version of CHAP –The shared secret is the user’s password for the remote access server (RAS) MS-CHAP Authentication Request Message MS-CHAP Authentication Response Message RAS Password Hash RAS

13 PPP MS-CHAP –Realistic in terms of how RASs usually work –Only as strong as the password, which often is very weak –Must enforce strong passwords MS-CHAP Authentication Request Message MS-CHAP Authentication Response Message RAS Password Hash

14 PPP Extensible Authentication Protocol (EAP) –During authentication phase of initial PPP negotiations, merely assert that EAP will be used –After the negotiation phase, which is very limited, EAP does further negotiation on how authentication will be done RAS Agree to Use EAP Negotiate more later

15 PPP PPP Confidentiality –Optional (not mandatory) –Negotiated using the PPP encryption control protocol during the initial negotiation phase RAS Confidential Message

16 PPP PPP Confidentiality –Current options are DES-CBC and 3DES-CBC Cipher block chaining (CBC) is discussed under IPsec in this chapter RAS Confidential Message

17 PPP PPP Confidentiality Encapsulation –Encrypt the PPP frame with DES-CBC or 3DES-CBC –Put encrypted frame in the data field of a new PPP frame –Send frame to RAS New PPP Header New PPP Trailer Encrypted PPP Frame In Data Field


Download ppt "Point-to-Point Protocol (PPP) Security Connecting to remote access servers (RASs) PPP authentication PPP confidentiality Point-to-Point Tunneling Protocol."

Similar presentations


Ads by Google