Networking Fundamentals, 3rd Edition page 468

Copyright Goodheart-Willcox Co., Inc. 468 Networking Fundamentals passwords to determine if they may access the server. PAP was developed when secu- rity on the Internet using TCP/IP was not a real problem. Th e clear text used inside the packet allows the password and username to be easily intercepted. Note PAP is basically obsolete because of the clear-text characteristic. Challenge Handshake Authentication Protocol (CHAP) Th e Challenge Handshake Authentication Protocol (CHAP) is an authentication protocol that sends an encrypted string of characters representing the username and password. It does not send the actual username and password. CHAP was designed to be used with PPP when making a remote connection to a server. Microsoft Chal- lenge Handshake Authentication Protocol (MS-CHAP) is an enhanced version of CHAP that encrypts not only the username and password but also the data package. MS-CHAP must be used with Microsoft operating systems. It is not compatible with other operating systems. CHAP works by using the PPP protocol to allow a computer to connect to a re- mote system. After a connection is established, the server, also known as the authen- tication agent, sends a challenge to the client, or peer. Th e authentication agent sends a key to the client so that it can encrypt its username and password. Th e client re- sponds with an encrypted key representing the username and password. Th e server either accepts or rejects the client username and password based on a matching encryption key. Th e actual username and password are not sent. Only a key generated from the characters used in the username and password is sent. Th e authenticating agent randomly generates challenges to verify it is still con- nected to an authorized peer and not to an impostor that has intercepted packets. CHAP prevents the replay attack by repeating the challenge at random intervals to detect an unauthorized connection. Th e technical names authentication agent and peer are used because CHAP can be used for more than server access, such as to au- thenticate two routers when using a tunneling protocol or VPN connection. MS-CHAP began being phased out with the introduction of Windows Vista. Th e latest version used for authentication is MS-CHAPv2. MS-CHAPv2 provides stronger encryption and supports two-way authentication. MS-CHAP only supports one-way authentication. One-way authentication only verifi es with the authenticator who the client is. Two-way authentication takes it one step further and also verifi es who the authenticator is to the client. Kerberos Th e Massachusetts Institute of Technology (MIT) developed a security authentica- tion system called Kerberos. Th e name Kerberos (also spelled Cerberus) comes from Greek mythology. It is the name of the mythical three-headed dog that guards the entrance to Hades. Kerberos allows two computers to communicate securely over a network that is not typically secure, such as the Internet. While Kerberos was de- veloped and distributed as an open protocol, it has been incorporated into many proprietary software systems. Th e details of how Kerberos works are beyond the scope of this book and the Network+ Exam. However, a general overview is necessary and helpful . Kerberos works by sending messages back and forth between the client and the server. Th e actual password, or even a hash of the password, is never sent. Th at makes it 4.2 NET

Previous Page Next Page

Networking Fundamentals, 3rd Edition Page 468 (490 of 720)

Resources and Downloads

Help