Jump to content

Password Authentication Protocol

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Alandekok (talk | contribs) at 19:14, 13 April 2022 (The issue with PAP is not "PAP is in secure". The issue is that PPP does not encrypt or secure any of the PPP data. And PAP is carried inside of PPP. Further, the "geeks for geeks" site has a lot of misleading and/or incorrect statements about PAP versus CHAP.). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Password Authentication Protocol (PAP) is a password-based authentication protocol used by Point to Point Protocol (PPP) to validate users.[1] PAP is specified in RFC 1334.

Almost all network operating systems support PPP with PAP, as do most network access servers. PAP is also used in PPPoE, for authenticating DSL users.

As the Point to Point Protocol (PPP) sends data unencrypted and "in the clear", PAP is vulnerable to any attacker who can observe the PPP session. An attacker can see the users name, password, and any other information associated with the PPP session. Some additional security can be gained on the PPP link by using CHAP or EAP.

PAP by itself is therefore considered a weak authentication scheme. Weak schemes are simpler and have lighter computational overhead than more complex schemes such as Transport Layer Security (TLS), but they are much more vulnerable to attack. While weak schemes are used where the transport layer is expected to be physically secure, such as a home DSL link. Where the transport layer is not physically secure a system such as Transport Layer Security (TLS) or Internet Protocol Security (IPsec) is used instead.

Other Uses of PAP

PAP is also used to describe password authentication in other protocols such as RADIUS and Diameter. However, those protocols provide for transport or network layer security, and this do not have the security issues seen when PAP is used with PPP.

Working cycle

PAP authentication is only done at the time of the initial link establishment, and verifies the identity of the client using a two-way handshake.

  1. Client sends username and password. This is sent repeatedly until a response is received from the server.
  2. Server sends authentication-ack (if credentials are OK) or authentication-nak (otherwise)[2]

PAP Packets

Description

1 byte 1 byte 2 bytes 1 byte Variable 1 byte Variable
Authentication-request Code = 1 ID Length Username length Username Password length Password
Authentication-ack Code = 2 ID Length Message length Message
Authentication-nak Code = 3 ID Length Message length Message

PAP packet embedded in a PPP frame. The protocol field has a value of C023 (hex).

Flag Address Control Protocol (C023 (hex)) Payload (table above) FCS Flag

See also

Notes

  1. ^ "Password Authentication Protocol (PAP)". GeeksforGeeks. 2018-07-17. Retrieved 2020-11-08.
  2. ^ Forouzan (2007). Data Commn & Networking 4E Sie. McGraw-Hill Education (India) Pvt Limited. pp. 352–. ISBN 978-0-07-063414-5. Retrieved 24 November 2012.

References

Stub icon

This computer networking article is a stub. You can help Wikipedia by expanding it.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Password_Authentication_Protocol&oldid=1082542375"