PointtoPoint Protocol PPP Security Connecting to remote access

Point-to-Point Protocol (PPP) Security Connecting to remote access servers (RASs) PPP authentication PPP confidentiality Point-to-Point Tunneling Protocol (PPTP)

PPP • Point-to-Point Protocol (PPP) – Data link layer protocol – Created for dialing into a network’s remote access server (RAS) • Then get access to internal resources – Also used for dialing into an ISP PPP Connection RAS

PPP • Authentication – Optional in PPP – If done, done during authentication phase of PPP’s initial negotiation process I am X RAS PPP Connection

PPP • PPP offers several authentication options – Password Authentication Protocol (PAP) – Challenge-Response Handshake Protocol (CHAP) – MS-CHAP—Microsoft version of CHAP – Extensible Authentication Protocol (EAP) • Not equally strong

PPP • Password Authentication Protocol (PAP) – Applicant sends verifier one or more PAP authentication request messages giving applicant’s user name and password – Stops sending when verifier sends an authentication-ACK message or sends a termination message PAP Auth RQ PAP Auth ACK RAS

PPP • Password Authentication Protocol (PAP) – Password is sent in the clear (without confidentiality), so PAP is dangerous Contains User’s Unencrypted Password PAP Auth RQ RAS

PPP • Password Authentication Protocol (PAP) – Authentication is done only once, at the beginning of the session – If session is taken over by an impostor, no check of authentication

PPP • (CHAP) Challenge-Response Handshake Protocol – Verifier (RAS) sends CHAP requestauthentication message – Applicant must respond with a response message RAS CHAP ARQ message CHAP Resp message

PPP • CHAP – This may be done several times per session for ongoing authentication to ensure that the session has not been hijacked (taken over by an imposter)

PPP • CHAP – The applicant and verifier have a shared secret – Applicant adds shared secret to the request message, then hashes the combination to produce the response message CHAP Authentication Request Message Shared Secret Hash CHAP Authentication Response Message

PPP Transmitted Authentication Response Message • CHAP – Verifier adds the shared secret to its request message, then hashes the combination – If this matches the transmitted response message, applicant knows the shared secret and so is authenticated Original Authentication Request Message Shared Secret Hash Computed Authentication Response Message

PPP RAS • MS-CHAP – Microsoft version of CHAP – The shared secret is the user’s password for the remote access server (RAS) MS-CHAP Authentication Request Message RAS Password Hash MS-CHAP Authentication Response Message

PPP • MS-CHAP – Realistic in terms of how RASs usually work – Only as strong as the password, which often is very weak – Must enforce strong passwords MS-CHAP Authentication Request Message RAS Password Hash MS-CHAP Authentication Response Message

PPP • Extensible Authentication Protocol (EAP) – During authentication phase of initial PPP negotiations, merely assert that EAP will be used – After the negotiation phase, which is very limited, EAP does further negotiation on how authentication will be done RAS Agree to Use EAP Negotiate more later

PPP • PPP Confidentiality – Optional (not mandatory) – Negotiated using the PPP encryption control protocol during the initial negotiation phase Confidential Message RAS

PPP • PPP Confidentiality – Current options are DES-CBC and 3 DES-CBC • Cipher block chaining (CBC) is discussed under IPsec in this chapter Confidential Message RAS

PPP • PPP Confidentiality Encapsulation – Encrypt the PPP frame with DES-CBC or 3 DES -CBC – Put encrypted frame in the data field of a new PPP frame – Send frame to RAS New Encrypted PPP Frame PPP Header In Data Field New PPP Trailer