CompTIA Network + Exam Training:
Intro To CHAP, PAP, MS-CHAP, TACACS, And RADIUS
By Chris Bryant, CCIE #12933
In this CompTIA Network + Exam tutorial, you'll be introduced to CHAP, PAP, and MS-CHAP. You'll also get a brief but important introduction to AAA, TACACS, and RADIUS.
All three of these are security protocols that run over the Point-to-Point Protocol (PPP). The Password Authentication Protocol (PAP) has a major security issue in that the password is sent over the connection in clear text, making it easy to read if a packet is successfully intercepted.
The Challenge Handshake Authentication Protocol (CHAP) prevents this by choosing a random number to run a hash algorithm against the password. The random number and the result of that hash are then sent to the remote router, so the password itself is never exposed. If someone with a network sniffer managed to pick a packet off the cable between the endpoints, the only thing they'd be able to see is an unrecognizable and undecipherable bunch of numbers, letters, and symbols.
Password before hashing: "password"
Password after hashing: "y7riu3i&32"
The hash result shown there is a possible result, not the result. Hashing a password makes it virtually impossible to decipher.
In our discussion of TCP, you learned that TCP uses a three-way handshake. The "handshake" in CHAP is also a three-way handshake, but the "challenge" part makes this process just a bit different. Let's walk through a sample CHAP process.
A client wants to connect to a server, so the client sends a logon request. Instead of just saying "okay", the server will respond with a challenge.
The client will now run an algorithm against the challenge value, and sends the result of that hash back to the server.
The server will take that response value and match it against its own hash calculation. If the values match, the client will be authenticated. If the values do not match, the client's authentication attempt is denied.
As you progress in your career and your studies, you'll find that companies such as Microsoft and Cisco occasionally like to make their own versions of popular services and protocols. Microsoft did just that with MS-CHAP, and I'm sure I don't have to tell you what the MS stands for!
MS-CHAP is available in two versions, Version 1 and Version 2. Version 1 is scheduled to be eliminated in Microsoft Vista. Some key details about MS-CHAP:
- The two versions are incompatible.
- MS-CHAP version 2 requires mutual authentication, where each device authenticates the other. Version 1 does not offer mutual authentication.
RADIUS (Remote Authentication Dial-In User Service) and TACACS (Terminal Access Controller Access Control System) are both AAA protocols, bringing Authentication, Authorization, and Accounting to networks. Before we examine RADIUS and TACACS, let's define each of the "three As".
Authentication simply asks the question, "Should I let you into the network in the first place?"
Authorization is the process of denying or permitting a client permission to do something on the network, such as accessing a file.
Accounting is the process of tracking a user's time, possibly for internal billing purposes. For example, if a user from the Security department is accessing servers or bandwidth allocated to the Accounting department, the Security user's activities could be tracked to allow the Accounting department to bill the Security department for the time that user was using the Accounting department's resources.
TACACS is rarely if ever seen anymore - it's been replaced largely by RADIUS and TACACS+. TACACS+ is not compatible with TACACS.
There are some key differences between TACACS+ and RADIUS:
-
RADIUS runs on UDP, TACACS+ on TCP, giving TACACS+ the benefit of TCP's guaranteed delivery.
-
In the initial access-request packet, RADIUS encrypts only the password while TACACS+ encrypts all contents of the packet.
-
RADIUS combines the authentication and authorization features of AAA, making it difficult if not impossible to run one without running the other. TACACS+ does not combine authentication and authorization.
另可参见:http://geminifield.blog.sohu.com/72626492.html
Where possible, MS-CHAP is consistent with standard CHAP. Briefly, the differences between MS-CHAP and standard CHAP are:
- The MS-CHAP Response packet is in a format designed for compatibility with Microsoft's Windows NT 3.5, 3.51 and 4.0, and Windows95 networking products. The MS-CHAP format does not require the authenticator to store a clear-text or reversibly encrypted password.
- MS-CHAP provides authenticator-controlled authentication retry and password changing mechanisms.
- MS-CHAP defines a set of reason-for-failure codes returned in the Failure packet Message field.
One difference between CHAP and MS-CHAP v1 is that, in CHAP, the plaintext version of the password must be available to validate the challenge response. With MS-CHAP v1, the remote access server only requires the MD4 hash of the password to validate the challenge response. In Windows 2000, the user's password is stored as an MD4 hash and in a reversibly encrypted form. When CHAP is used, the remote access server decrypts the reversibly encrypted password to validate the remote access client's response.
MS-CHAP v1 also allows for error codes including a "password expired" code and password changes. MS-CHAP v1 protects against replay attacks by using an arbitrary challenge string per authentication attempt. MS-CHAP v1 does not provide protection against remote server impersonation.
If MS-CHAP v1 is used as the authentication protocol and MPPE is negotiated, then shared secret encryption keys are generated by each PPP peer. MS-CHAP v1 also provides a set of messages that allows a user to change their password during the user authentication process.