Jump to content

Password Authentication Protocol

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by 129.21.50.118 (talk) at 02:40, 18 May 2011. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

A password authentication protocol (uncapitalized) is an authentication protocol that uses a password.

PAP is used by Point to Point Protocol to validate users before allowing them access to server resources. Almost all network operating system remote servers support PAP.

PAP transmits unencrypted ASCII passwords over the network and is therefore considered insecure. It is used as a last resort when the remote server does not support a stronger authentication protocol, like CHAP or EAP (while the last is actually a framework).
Password-based authenticationis the protocol that two entities share a password in advance and use the password as the basic of authentication. Existing password authentication scheme can be categorized into two types: weak-password authentication schemes and strong-password authentication schemes. In general, strong-password authentication protocols have the advantages over the weak-password authentication schemes in that their computational overhead are lighter, designs are simpler, and implementation are easier, and therefore are especially suitable for some constrained environments.
How to communicate securely over a public network</big>
It is common for two entities to authenticate each other in order to protect the privacy and later communication, but the cost in regard of computational overhead and storage is too high for certain applications such as PDA and mobile phone, etc. Another way of addressing this problem is that two entities share a password in advance and then use the password as the authentication token. Traditional password protocols are susceptible to off-line dictionary attack: many users choose password of relatively low entropy, so it is possible for the adversary to mount all possible password from a small dictionary. Compared to offline dictionary, online attacks is easy detected by simply placing a limit on the number of unsuccessful authentication attempts. So, the security of password-based protocols in particular requires that the protocol can not be broken by this kind of attack.


Working cycle

  • Client sends username and password
  • Server sends authentication-ack (if credentials are OK) or authentication-nak (otherwise)

PAP Packets

Description

1 byte 1 byte 2 bytes 1 byte Variable 1 byte Variable
Authentication-request Code = 1 ID Length Username length Username Password length Password
Authentication-ack Code = 2 ID Length Message length Message
Authentication-nak Code = 3 ID Length Message length Message

PAP packet embedded in a PPP frame. The protocol field has a value of C023 (hex).

Flag Address Control Protocol (C023 (hex)) Payload (table above) FCS Flag

See also


Stub icon

This computer networking article is a stub. You can help Wikipedia by expanding it.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Password_Authentication_Protocol&oldid=429662381"