PointtoPoint Protocol PPP Security Connecting to remote access
- Slides: 17
Point-to-Point Protocol (PPP) Security Connecting to remote access servers (RASs) PPP authentication PPP confidentiality Point-to-Point Tunneling Protocol (PPTP)
PPP • Point-to-Point Protocol (PPP) – Data link layer protocol – Created for dialing into a network’s remote access server (RAS) • Then get access to internal resources – Also used for dialing into an ISP PPP Connection RAS
PPP • Authentication – Optional in PPP – If done, done during authentication phase of PPP’s initial negotiation process I am X RAS PPP Connection
PPP • PPP offers several authentication options – Password Authentication Protocol (PAP) – Challenge-Response Handshake Protocol (CHAP) – MS-CHAP—Microsoft version of CHAP – Extensible Authentication Protocol (EAP) • Not equally strong
PPP • Password Authentication Protocol (PAP) – Applicant sends verifier one or more PAP authentication request messages giving applicant’s user name and password – Stops sending when verifier sends an authentication-ACK message or sends a termination message PAP Auth RQ PAP Auth ACK RAS
PPP • Password Authentication Protocol (PAP) – Password is sent in the clear (without confidentiality), so PAP is dangerous Contains User’s Unencrypted Password PAP Auth RQ RAS
PPP • Password Authentication Protocol (PAP) – Authentication is done only once, at the beginning of the session – If session is taken over by an impostor, no check of authentication
PPP • (CHAP) Challenge-Response Handshake Protocol – Verifier (RAS) sends CHAP requestauthentication message – Applicant must respond with a response message RAS CHAP ARQ message CHAP Resp message
PPP • CHAP – This may be done several times per session for ongoing authentication to ensure that the session has not been hijacked (taken over by an imposter)
PPP • CHAP – The applicant and verifier have a shared secret – Applicant adds shared secret to the request message, then hashes the combination to produce the response message CHAP Authentication Request Message Shared Secret Hash CHAP Authentication Response Message
PPP Transmitted Authentication Response Message • CHAP – Verifier adds the shared secret to its request message, then hashes the combination – If this matches the transmitted response message, applicant knows the shared secret and so is authenticated Original Authentication Request Message Shared Secret Hash Computed Authentication Response Message
PPP RAS • MS-CHAP – Microsoft version of CHAP – The shared secret is the user’s password for the remote access server (RAS) MS-CHAP Authentication Request Message RAS Password Hash MS-CHAP Authentication Response Message
PPP • MS-CHAP – Realistic in terms of how RASs usually work – Only as strong as the password, which often is very weak – Must enforce strong passwords MS-CHAP Authentication Request Message RAS Password Hash MS-CHAP Authentication Response Message
PPP • Extensible Authentication Protocol (EAP) – During authentication phase of initial PPP negotiations, merely assert that EAP will be used – After the negotiation phase, which is very limited, EAP does further negotiation on how authentication will be done RAS Agree to Use EAP Negotiate more later
PPP • PPP Confidentiality – Optional (not mandatory) – Negotiated using the PPP encryption control protocol during the initial negotiation phase Confidential Message RAS
PPP • PPP Confidentiality – Current options are DES-CBC and 3 DES-CBC • Cipher block chaining (CBC) is discussed under IPsec in this chapter Confidential Message RAS
PPP • PPP Confidentiality Encapsulation – Encrypt the PPP frame with DES-CBC or 3 DES -CBC – Put encrypted frame in the data field of a new PPP frame – Send frame to RAS New Encrypted PPP Frame PPP Header In Data Field New PPP Trailer
- Lan backbone
- Ppp link protocol was terminated
- Hdlc vs ppp
- Ppp stack
- Point-to-point protokol
- The ppp link control protocol was terminated
- Provate security
- Java remote method protocol
- How to access tally remotely
- Decs remote access
- Telenursing and remote access telehealth
- Bomgar features
- Distributed file system
- Sdsu remote access
- Remote access european commission
- Matlab remote access
- Csd remote access
- Network security services nss