Designing Secure Communications

By Author: Shirley Green
Total Articles: 129
Comment this article

The following user authentication information should be considered 70-291 Exam in making authentication choices:
User authentication is via PPP authentication protocols. Password authentication protocol (PAP), which sends a plain-text password across the network, is very rarely used.
Challenge Handshake Authentication Protocol (CHAP) uses the MD5 hashing protocol to encrypt challenge strings. Only the user name crosses the network in plaintext. The server must store a plain-text copy of the password, or store the password using a reversible encryption algorithm, as is the case in Windows Server2003. CHAP is generally used only when UNIX clients are present.
Microsoft CHAP (MS-CHAP) uses an MD4 hash, and the server can store a hashed password. The protocol provides more sophisticated error messages—including a
password-expired error code, which then provides the ability to change a password during the authentication phase. The client and server independently create
the encryption key MS CHAP requires for MPPE encryption based on the user's password. MCSA Certification ...
... should be used only if you have Windows 95 clients.
MS CHAPv2 provides for mutual authentication—both client and server identify that each have knowledge of the user's password. Two encryption keys are used:
one for sending text and the other for receiving text. As with MS-CHAP, the encryption keys are based on the user's password. Consequently, the strength of
the encryption key is directly proportional to the strength of the user's password.
Extensible Authentication Protocol (EAP) is an IETF (RFC 2284) extension to PPP.A choice of authentication algorithms known as EAP types can be made.
EAP is negotiated during the authentication phase of PPP.Because EAP allows arbitrary authentication mechanisms for PPP authentication,the dynamic addition of authentication component modules is supported. This means vendors can supply new authentication protocols at any time.
When new,stronger authentication processes are identified, the PPP protocol does not have to be rewritten the vendor simply write an EAP type that is compatible with PPP.

O EAP-TLS is based on a public-key certificate and enables mutual authentica-tion between the client and server computers that make up the VPN connec-tion. Before data can be transmitted, a client certificate must be provided to and validated by the dial-in server and the server must provide its own, which must be validated by the client. EAP-TLS can be used with PPTP. In this case, the server must have a Network+ certification, but the client computers do not require one. User certificates can be installed on client computers or smart cards.