2.18. Identifying Authentication Protocols
When two computers exchange information through a network, the only physical change that takes place is a fluctuation in current or radio signal (in the case of a wireless communication). Based on the precise way the fluctuation occurs, we can use authentication protocols that enable one computer or user to prove its identity to another user. In essence, authentication protocols are the way that a computer or a user communicates the concept, "I am who I say I am and I can prove it."
Authentication protocols have evolved over the last several years, and there are many from which you can choose depending on your network's security needs. We will discuss the common authentication protocols in use today.
2.18.1. Critical Information
Due to an ever-increasing need for stronger security, authentication protocols have evolved over the last several years—and they continue to evolve. Basically, there are only three ways that a user can prove his identity, something he knows, something he has, or something he is. The latest methods of security combine two or even all three of these factors, creating a new method referred to as multifactor authentication.
You should be able to identify the most common authentication protocols. You should know which clients can use each protocol and the type of network that is likely to use each type of protocol. In this section, we will discuss some of the older authentication protocols as well as the most common authentication protocols used in today's networks.
2.18.1.1. Password Authentication Protocol (PAP)
Password Authentication Protocol (PAP) is an older remote access authentication protocol that is not commonly used in today's networks. PAP uses a two-way handshake mechanism. In other words, the server asks the client for the password and the client provides the password in clear text. If anyone is "listening in" or sniffing the network, they can also see the password in clear text and use it. Because of this limitation, PAP is not considered a secure authentication protocol and would therefore only be used in networks that do not require security.
2.18.1.2. Challenge Handshake Authentication Protocol (CHAP)
Challenge Handshake Authentication Protocol (CHAP) is a remote access authentication protocol that uses a password that is a shared secret between the server and client, but the password is never sent in clear text. Instead, a three-way handshake is used in which the server sends the client a challenge to prove that it knows the password by inserting it into a challenge string sent by the server. When the server receives the password inserted into the challenge string, the server removes the challenge string and compares the password with the one that it knows. If the two are the same, then the communication can continue. If they are not the same, then the communication will be terminated. In this way, CHAP establishes authentication without having to send a password in clear text. CHAP is the strongest authentication method that can be used when there are a mixture of Microsoft clients and other types of clients such as Novell, Unix, or Apple.
2.18.1.3. Microsoft Challenge Handshake Protocol (MS-CHAP)
Microsoft Challenge Handshake Protocol (MS-CHAP) is Microsoft's variation on the CHAP protocol, which provides even greater security for authentication of Microsoft clients. Because MS-CHAP is specifically written for Microsoft, all clients must be running a Microsoft operating system. While it's possible for any Microsoft clients to use MS-CHAP, it is more likely that it will be used by Windows 95, Windows 98, and Windows NT Workstation clients. This is because the newer clients can use an even more secure protocol referred to as MS-CHAP v2.
2.18.1.4. Microsoft Challenge Handshake Protocol version 2 (MS-CHAP v2)
Microsoft Challenge Handshake Protocol version 2 (MS-CHAP v2) is a much stronger form of remote access authentication that can only be used by Windows 2000 Professional and later clients or Windows 98 clients using a VPN. There are many new features in MS-CHAP v2 that strengthen the security of the authentication mechanisms. The most important of these is the fact that MS-CHAP v2 offers a two-way authentication method. This means that a client can verify that the server is a legitimate server and not a rogue RAS server before it reveals its credentials to the server for authentication. This prevents an attacker from inserting a server into a network environment for the purpose of collecting user credentials for later use. MS-CHAP v2 is a good solution for networks with Microsoft Windows 2000 Server or Windows Server 2003 and clients that are Windows 2000 Professional or later.
2.18.1.5. RADIUS Authentication
As we discussed earlier in this chapter, RADIUS authentication occurs when a device such as a RADIUS server or a wireless WAP defer the authentication to a centralized authority such as a domain controller on a Microsoft Active Directory. The device that receives the remote access request simply acts as a go-between and the actual authentication occurs as the centralized authenticator. This is a viable method of authentication for remote access connections and wireless connections to a domain environment such as Microsoft Active Directory of Novell Directory Services.
2.18.1.6. Kerberos Authentication
Kerberos authentication is a form of local authentication that is used on most networks today. It was developed by the Massachusetts Institute of Technology (MIT) and has been adopted by many vendors, including Microsoft. Kerberos allows the private exchange of information and instruction in what would otherwise be an open network. Using Kerberos authentication, clients can log onto a Windows Active Directory or Novell's NDS and browse resources to which they are assigned permissions.
Kerberos is named for the mythical three-headed dog that guarded the gates of Hades. It uses a series of tickets, which allow a client to prove that it should have access to a resource. Since the tickets are valid only for a short period of time after they are issued, Kerberos prevents an internal attacker from "replaying" a conversation and thereby gaining access to a resource for which he does not have permission.
2.18.1.7. Extensible Authentication Protocol (EAP)
As the name suggests, Extensible Authentication Protocol (EAP) is an open set of standards that allows the addition of new methods of authentication. EAP can also use certificates from other trusted parties as a form of authentication. It is currently used primarily for smart cards, but it will soon evolve and be used for many forms of biometric authentication using a person's fingerprint, retina scan, and so on.
2.18.1.8. Exam Essentials
Know the characteristics of PAP. PAP is a remote access protocol that sends a password in clear text with a two-way handshake. The only networks that might use PAP today would be those in which security is of no concern.
Describe the characteristics of CHAP. CHAP is considered to be the strongest protocol that can be used on a server if the clients are not all Microsoft clients. CHAP uses a three-way hand-shake to verify that the user knows the password without sending the password in clear text.
List the characteristics of MS-CHAP. MS-CHAP is Microsoft's version of CHAP made specifically for use with Microsoft clients. MS-CHAP provides even greater authentication security, but it can only be used with Microsoft clients. All Microsoft clients can use MS-CHAP, but it will most likely be used by Windows 95, Windows 98, and Windows NT Workstation clients, since the newer client can use even more secure protocols, such as MS-CHAP v2.
Know the characteristics of MS-CHAP v2. MS-CHAP v2 is a remote access protocol that provides several features that make it more secure than MS-CHAP. The most important of these features is the mutual authentication, whereby the client authenticates the server as well as the server authenticating the client. MS-CHAP v2 is available only for Windows 2000 Professional and later clients, and Windows 98 clients on VPNs.
Describe how RADIUS authentication works. RADIUS authentication is a process of using a server or another device as a go-between that connects the client to the network after the client is authenticated by a central authenticator. RADIUS authentication can be used for remote access as well as wireless access to a network. A domain controller running Microsoft Active Directory can provide a centralized authenticator for RADIUS authentication.
Know the characteristics of Kerberos. Kerberos is a local security protocol that creates a secure communication channel using a series of tickets. The Kerberos tickets are valid only for a short period of time to prevent an internal replay attack. Kerberos is the default authentication protocol in Windows Active Directory as well as Novell Directory Services.
List the characteristics of EAP. EAP is a set of open standards that allows for the expansion of authentication protocols. EAP currently uses mostly smart card authentication and trusted certificate authentication, but it is quickly evolving to include biometric identification such as fingerprints, eye scans, and so on.