Authentication Protocols

Two primary technologies are required for securing data transmissions: encryption and authentication. Encryption was discussed earlier; in this section, authentication protocols are reviewed.

When designing a remote connection strategy, it is critical to consider how remote users will be authenticated. Authentication defines the way in which a remote client and server will negotiate on a user's credentials when the user is trying to gain access to the network. Depending on the operating system used and the type of remote access involved, several different protocols are used to authenticate a user. The following authentication protocols are used with various technologies, including PPP:

  • Challenge Handshake Authentication Protocol (CHAP) CHAP is an authentication system that uses the MD5 encryption scheme to secure authentication responses. CHAP is a commonly used protocol, and as the name suggests, anyone trying to connect is challenged for authentication information. When the correct information is supplied, the systems "shake hands," and the connection is established.

  • Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) MS-CHAP, based on CHAP, was developed to authenticate remote Windows-based workstations. There are two versions of MS-CHAP; the main difference between the two is that MS-CHAP version 2 offers mutual authentication. This means that both the client and the server must prove their identities in the authentication process. Doing so ensures that the client is connecting to the expected server.

  • Password Authentication Protocol (PAP) PAP is the least secure of the authentication methods because it uses unencrypted passwords. PAP is often not the first choice of protocols used; rather, it is used when more sophisticated types of authentication fail between a server and a workstation.

  • Extensible Authentication Protocol (EAP) EAP is an extension made to standard PPP. EAP has additional support for a variety of authentication schemes including smart cards. It is often used with VPNs to add security against brute-force or dictionary attacks.

  • Shiva Password Authentication Protocol (SPAP) SPAP is an encrypting authentication protocol used by Shiva remote access servers. SPAP offers a higher level of security than other authentication protocols such as PAP, but it is not as secure as CHAP.