December 15, 2022
CISSP Study Guide: Authentication Protocols
December 15, 2022
Password Authentication Protocol (PAP): a clear text exchange of username and password data. After a user dials in, a username request is sent. After a username is entered, a password request is sent out. All communications are transmitted in clear text with no encryption. PAP is a one-way authentication between the router and the host.
Shiva Password Authentication Protocol (SPAP): a reversible encryption mechanism. A client uses SPAP when connecting to a Shiva LANRover. This authentication method is more secure than PAP but less secure than CHAP.
Challenge Handshake Authentication Protocol (CHAP): enhanced security compared with PAP. It uses a two-way encrypted authentication method. The remote router holds the usernames and passwords but they’re not transmitted as they were with PAP. With CHAP, when a user dials in, the access server issues a challenge message to the remote user after the PPP link is established. The remote end responds with a one-way hash function. This hash is generally an MD5 entity. If the value of the hash accurately matches, authentication is granted. If it doesn’t match, the connection is ended. CHAP sends out a challenge every two minutes for the duration of the connection. If the authentication fails at any time, the connection is ended. Frequency of challenges is administered by the access server.
Extensible Authentication Protocol (EAP): an authentication protocol that can be expanded with increased authentication methods that can be installed separately. It activates a fluid authentication mechanism to approve a remote access connection.
- EAP with MD5-Challenge uses the same challenge handshake protocol as PPP-based CHAP, but the challenges and responses are sent as EAP messages. A typical use for MD5-Challenge is to authenticate nonWindows remote access clients. EAP with MD5-Challenge does not support encryption of connection data.
- Protected Extensible Authentication Protocol (PEAP) is primarily used to authenticate wireless users with a username and password.
- Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) is used to enable remote access authentication with a smart card or a public key certificate.
Let's build your cybersecurity career together
Accelerate in your role, prepare for certifications, and develop cutting edge skills with the most in-demand training in the industry.
2,000+learning activities led by highly experienced cybersecurity professionals