Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
31323334353637383940
1-24
Access Control Concepts
Network Access Control Technologies
PAP
PAP is a simple protocol: the endpoint sends an authenticate request that
includes the username and password in plaintext. The authentication server
compares the password to the one stored for the user, and if the passwords
match, the server grants the user access (as long as other policies allow the
user access at that time and location).
PAP opens several security vulnerabilities—the most crucial one that the
password is sent in plaintext and can be intercepted. In addition, PAP does
not provide mutual authentication. Because the authentication server does
not prove its identity to the supplicant, an attacker can pose as a legitimate
server and steal the user’s credentials.
PAP is rarely used in contemporary networks. However, a PEP submitting a
MAC-Auth or Web-Auth request on behalf of an endpoint might use RADIUS-
PAP, a slightly more secure protocol. (See “RADIUS” on page 1-28.)
CHAP
Although, like PAP, CHAP relies on usernames and passwords, CHAP provides
greater security because the password is not sent in plaintext. Instead, the
endpoint submits a one-way hash of the password and a challenge value
randomly selected by the authentication server.
To prevent hackers from simply capturing and re-sending the hash of a user’s
password (called a playback or replay attack), different challenges include
different values. To recalculate the hash of the password with various chal-
lenge values, the authentication server must be able to extract the password.
Therefore, the database must store the password in plaintext or reversible
encrypted form. This requirement excludes CHAP from networks using cer-
tain types of authentication servers or directories.
Another disadvantage of CHAP is that it does not provide mutual authentica-
tion. In addition, while the one-way hash protects the password from casual
eavesdroppers, it is susceptible to dictionary attacks and password-cracking
software.
Again, while CHAP is rarely used in contemporary network, PEPs might use
RADIUS-CHAP to submit MAC-Auth or Web-Auth requests.