The network authentication process can take many different forms. In this video, you’ll learn about PAP, CHAP, EAP, PEAP, Kerberos, single sign-on, and multi-factor authentication.
<< Previous: Wireless SecurityNext: Hashing >>
When you authenticate to a device, you provide a username and a password, and that device then grants you access to the resources that you’re allowed. But something happened behind the scenes. So in this video, we’re going to look at many of the methods that can occur during the user authentication process. One of the most basic authentication methods that’s been around for a very long time is PAP. This is Password Authentication Protocol.
It’s used in many different legacy operating systems and applications. You don’t really see it being used just by itself any longer because PAP is in the clear. Everything that PAP is sending is being sent in its native format. PAP does not have any additional encryption or hashing mechanisms built in as part of it, so generally it’s sending things as they are provided to PAP. Sometimes this is including some additional encryption and hashing, but that has to take place before PAP begins its authentication process.
A more advanced authentication protocol is CHAP. This is the Challenge-Handshake Authentication Protocol. This is sending an encrypted challenge across the network. If you see this in a Microsoft product, it’s referred to as MS-CHAP. This is a three-way handshake.
There’s a link established, the server is sending a challenge to the end user, the end user has to respond to that challenge. And at that point, the server is going to compare that response with what it has stored in its database of hashes. And if those are exactly the same, then you are granted access to that particular resource. If you stay connected to this device for an amount of time, CHAP will occasionally give you another challenge with which to respond to.
This is something that’s usually cached on your own system so you’re responding with exactly the same response you used originally and you never know that anything is happening behind the scenes. CHAP is doing this so that it can confirm that you are still who you say you are, and by providing this challenge and asking for a response, it knows that it’s still getting a proper response from you. Here’s how this CHAP authentication works visually. As you’re connecting to a service from your client device, the server is going to ask for an authentication. This is the challenge.
And your client is now going to usually get a pop up message to put in a username and password. So we might put in our name and we’ll put in our password– password111, I worked very hard on that password– but instead of sending that password in the clear so that everybody can see it on the network, CHAP encrypts that. It provides the username in plain text, but here is the hash that it sends across the network. This is obviously a one-way hash. You can’t determine what the password is based on this hash that I sent across the network.
At this point, the server receives the hash and it examines a hash that it’s already stored in its database. This is a good example of properly storing password information. My in-the-clear password isn’t stored anywhere on this server, only the hash is stored. If anybody wanted to reconstruct what my password was, they would have to do a brute force attack and go through every possible iteration until they finally came across what my real password was.
Another method for user authentication is EAP. This is the Extensible Authentication Protocol, it’s a framework with many different mechanisms inside of it that can be used for authenticating users. This is an RFC standard and it’s used across many different types of applications and operating systems. Most commonly we see EAP being used with WPA and WPA2 so that we can provide a secure authentication to our wireless networks.
Another authentication mechanism, again, often seen on wireless networks, is PEAP. PEAP is the Protected Extensible Authentication Protocol, and it was one that was created by Cisco, Microsoft, and RSA. Because this is taking advantage of a TLS tunnel, you need encryption certificates on these devices in order to provide this. But now that you have those certificates in place, you’re able to have an encrypted mechanism to send all of this information over the network. Kerberos is an authentication mechanism that provides many different capabilities.
It is one where we authenticate one time and we’re trusted by the entire system. This is commonly what you might see in Windows where you log into the domain and then all of the resources on the domain can give you proper access to those resources. There’s no need to authenticate to each individual server if you’re using Kerberos because everything is going to be trusted in the proper way. Kerberos also uses something called mutual authentication. Both the client and the server trust the communication between each other, and by using this mechanism, you’re protecting against man-in-the-middle attacks and replay attacks.
Kerberos is a well established standard. It’s been around really since the 1980s. It was created at Massachusetts Institute of Technology and there’s an RFC 4120 if you wanted to read through the details of the Kerberos protocol. This is something that Microsoft started using with Windows 2000 and it was based on Kerberos 5.0’s open standard. This is also a mechanism, when you’re using it with Windows, that you could use with other devices as well. It’s very common to have third-party products be able to authenticate to a Microsoft network using this very standard Kerberos protocol.
This concept of logging in one time to the network and having access to all of the resources that have been assigned to you is something called Single Sign-on. You may see this referred to as SSO. There are many ways to provide SSO. Kerberos is just one example of providing authentication and authorization to the entire network. There are a number of third-party products and options available as well.
You generally don’t see a lot of single sign-on in smaller environments, like a home office or small office, but you have a lot of cloud-based services now that are taking advantage of this. You can go to a lot of cloud-based services that are allowing you to log in with your Google login or your Facebook login or your Twitter login. Those are using protocols and mechanisms behind the scene that allow single sign-on using this well known authentication method. Kerberos works behind the scenes by using something called tickets to provide authentication and authorization.
Here’s a good example. The first thing you might do is provide a Ticket Granting Ticket to a Ticket Granting Service. This has your username and password, maybe domain credentials and other information. This is the service that’s going to decide whether you gain access to the rest of the network and if your authentication is correct, it provides you with a very important service ticket. This is the ticket you’re now going to present to everyone else to prove that you are who you say you are.
So you can present this service ticket to other servers and other services on your network, and it will trust that you are who you say you are and grant you access based on your authentication information. This way you don’t have to put in usernames and passwords every time you connect to a new device on the network. You simply present your ticket, and you’re granted the proper access for your username. This is something that’s very specific to Kerberos. Not all devices out there understand a Kerberos login.
So if you’re going to a third-party product that’s expecting a different kind of authentication, you’ll have to use some other method rather than Kerberos. When you’re authenticating, you’re often asked for a number of different things. We call these authentication factors. And you may be asked for more than one of these or a multifactor login. For instance, you may be asked for something you know.
That might be your username and password. You may be asked for something you have, which might be a pseudo random number from a piece of software or it may be from a physical dongle that you carry around. You may be asked to authenticate with somewhere you are. A number of devices these days will do gio-fencing to see if you are in the immediate area. This is useful to avoid someone from logging in from China or logging in from Europe if you happen to be in the United States.
You might also be asked for something you are. In this case, we’re dealing more with biometrics. It might be a fingerprint or a handprint. You could also be asked for something you do. This is very similar to something you are, although in this case you would be performing a function, like signing something.
That signature is very unique to you and therefore it’s something that you very much are able to do. Adding on these additional factors to the authentication process may add additional costs. It may require a physical pseudo random number generator that you have to give to everyone who needs access to the network.
Or it may have little costs associated with it. There are many free smartphone applications these days to provide these additional factors. And if you’re using those, you don’t have to pay anything extra to deploy this to everybody who has a smartphone.