Authentication protocol
An authentication protocol is a type of computer
Purpose
With the increasing amount of trustworthy information being accessible over the network, the need for keeping unauthorized persons from access to this data emerged. Stealing someone's identity is easy in the computing world - special verification methods had to be invented to find out whether the person/computer requesting data is really who he says he is.[2] The task of the authentication protocol is to specify the exact series of steps needed for execution of the authentication. It has to comply with the main protocol principles:
- A Protocol has to involve two or more parties and everyone involved in the protocol must know the protocol in advance.
- All the included parties have to follow the protocol.
- A protocol has to be unambiguous - each step must be defined precisely.
- A protocol must be complete - must include a specified action for every possible situation.
An illustration of password-based authentication using simple authentication protocol:
Alice (an entity wishing to be verified) and Bob (an entity verifying Alice's identity) are both aware of the protocol they agreed on using. Bob has Alice's password stored in a database for comparison.
- Alice sends Bob her password in a packet complying with the protocol rules.
- Bob checks the received password against the one stored in his database. Then he sends a packet saying "Authentication successful" or "Authentication failed" based on the result.[3]
This is an example of a very basic authentication protocol vulnerable to many threats such as
Types
Authentication protocols developed for PPP Point-to-Point Protocol
Protocols are used mainly by Point-to-Point Protocol (PPP) servers to validate the identity of remote clients before granting them access to server data. Most of them use a password as the cornerstone of the authentication. In most cases, the password has to be shared between the communicating entities in advance.[5]
PAP - Password Authentication Protocol
CHAP - Challenge-handshake authentication protocol
The authentication process in this protocol is always initialized by the server/host and can be performed anytime during the session, even repeatedly. Server sends a random string (usually 128B long). The client uses password and the string received as parameters for MD5 hash function and then sends the result together with username in plain text. Server uses the username to apply the same function and compares the calculated and received hash. An authentication is successful or unsuccessful.
EAP - Extensible Authentication Protocol
EAP was originally developed for PPP(Point-to-Point Protocol) but today is widely used in
- EAP-MD5
- EAP-TLS
- EAP-TTLS
- EAP-FAST
- EAP-PEAP
AAA architecture protocols (Authentication, Authorization, Accounting)
Complex protocols used in larger networks for verifying the user (Authentication), controlling access to server data (Authorization) and monitoring network resources and information needed for billing of services (Accounting).
TACACS+
The oldest AAA protocol using IP based authentication without any encryption (usernames and passwords were transported as plain text). Later version XTACACS (Extended TACACS) added authorization and accounting. Both of these protocols were later replaced by TACACS+. TACACS+ separates the AAA components thus they can be segregated and handled on separate servers (It can even use another protocol for e.g. Authorization). It uses TCP (Transmission Control Protocol) for transport and encrypts the whole packet. TACACS+ is Cisco proprietary.
RADIUS
DIAMETER
Other
Kerberos (protocol)
Kerberos is a centralized network authentication system developed at
List of various other authentication protocols
- AKA
- Basic access authentication
- CAVE-based authentication
- CRAM-MD5
- Digest
- Host Identity Protocol (HIP)
- LAN Manager
- NTLM, also known as NT LAN Manager
- OpenID protocol
- Password-authenticated key agreement protocols
- Protocol for Carrying Authentication for Network Access (PANA)
- Secure Remote Password protocol (SRP)
- RFID-Authentication Protocols
- Woo Lam 92 (protocol)
- SAML
References
- ^ Duncan, Richard (23 October 2001). "An Overview of Different Authentication Methods and Protocols". www.sans.org. SANS Institute. Retrieved 31 October 2015.
- ^ Shinder, Deb (28 August 2001). "Understanding and selecting authentication methods". www.techrepublic.com. Retrieved 30 October 2015.
- ISBN 0-7923-8675-2.
- ISBN 0-201-92480-3.
- CiteSeerX 10.1.1.45.6423.
- ^ Vanek, Tomas. "Autentizacní telekomunikacních a datových sítích" (PDF). CVUT Prague. Archived from the original (PDF) on 4 March 2016. Retrieved 31 October 2015.
- ^ "AAA protocols". www.cisco.com. CISCO. Retrieved 31 October 2015.
- ^ Liu, Jeffrey (24 January 2006). "Introduction to Diameter". www.ibm.com. IBM. Retrieved 31 October 2015.
- ^ "Kerberos: The Network Authentication Protocol". web.mit.edu. MIT Kerberos. 10 September 2015. Retrieved 31 October 2015.
- ISBN 0-471-12845-7.
- ^ "Protocols of the Past". srp.stanford.edu. Stanford University. Retrieved 31 October 2015.