***
< [Home](https://github.com/SeanOhAileasa) | [README](https://github.com/SeanOhAileasa/syp-implementation/blob/main/README.md) >

## CompTIA Security+ - Course Material 2022
###### Topic: ``PAP and CHAP``
***

Course material for the ``CompTIA Security+`` module of the ``ICT Associate Apprenticeship (Cybersecurity)`` programme.

<a id="top"></a>
***
## Table of Contents
***

### [PAP and CHAP](#a) <br/><br/>

- [VPN Concentrator Access](#b) <br/><br/>
    - [AAA Server](#b) <br/><br/>
- [Password Authentication Protocol](#c) <br/><br/>
    - [``PAP``](#c) <br/><br/>
        - [Authentication](#d) <br/><br/>
- [Challenge-Handshake Authentication Protocol](#e) <br/><br/>
    - [``CHAP``](#e) <br/><br/>
        - [Authentication](#f) <br/><br/>
    - [Microsoft](#g) <br/><br/>
        - [``MS-CHAP``](#g) 
<hr width=50%;>

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="a"></a>
***
### PAP and CHAP
***

There are many different ways to provide authentication to a network - looking at two very common methods - ``PAP`` - ``CHAP``.

< [Table of Contents](#top) | [References](#references) >
<a id="b"></a>
***
###### VPN Concentrator Access - AAA Server
***

A client outside of the building is accessing a VPN concentrator that is part of an organization to gain access to an internal file server - before they’re allowed access to that internal file server, they first need to authenticate - they’re going to send a request through the internet to the VPN concentrator to login:

![image.png](attachment:image.png)

The VPN concentrator doesn’t have any information about usernames and passwords, so it passes that request down to AAA server - this is a server designed to provide authentication, authorization and accounting and it’s going to provide a way to check a username and password to see if it’s valid:

![image.png](attachment:image.png)

Once it performs that check it’ll send a message back saying those credentials have been approved or disapproved:

![image.png](attachment:image.png)

In this case, the correct username and password was provided and the users request is then sent on to the internal file server.

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="c"></a>
***
###### Password Authentication Protocol - ``PAP`` - [Basic Authentication Method] - [In-the-Clear]
***

One way to provide that authentication between the VPN concentrator and the AAA server is a very common protocol known as PAP - this is the password authentication protocol, it’s an extremely basic method to provide this authentication process and if you’re using some relatively old operating systems or systems that were designed for some very simple authentication they’re probably using PAP.

One problem with the password authentication protocol is that it sends all of this information through the network in the clear - there’s no encryption built into PAP that provides a way to protect the username or the password. 

To say that this is a weak authentication scheme may be a little bit of an understatement because there is no encryption being used for that password exchange process. This is because PAP is originally designed before we had these internet connected networks - instead we were using dial up analog lines where there was only two devices on that connection. The client and the server.

What you commonly see with implementations of PAP today is that the application performing the authentication based in the username in the clear but the application will provide the encryption of the password and be able to send that through a PAP connection without too much worry about that password being seen by others.

< [Table of Contents](#top) | [References](#references) >
<a id="d"></a>
***
###### Password Authentication Protocol - ``PAP`` - Authentication
***

> Username is ``james``

> Password is ``password111`` 

- Got a client and a server:

![image.png](attachment:image.png)

Request will be made from the client to the server - sent in the clear using PAP:

![image.png](attachment:image.png)

The PAP server will authenticate the username and password and send a message back to the client saying, the username and password checks out - now allowed access to the network:

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="e"></a>
***
###### Challenge-Handshake Authentication Protocol - ``CHAP`` - [Encrypted Challenge] - [Three-way Handshake] - [Challenge-Response Continues]
***

Somewhat of a next step up from PAP is the Challenge-Handshake Authentication Protocol or CHAP - this is going to provide an encrypted challenge sent across the network, so this does add additional security over what you might find with PAP.

CHAP has a three-way handshake that occurs - Once there is a link the server is going to send the client a challenge message - that challenge message is going to be combined with a password hash and sent back to the server where it will evaluate the password and the challenge to be able to see if that matches what’s expected.

This challenge response process is not only something that is at the beginning of the authentication process but it may occur multiple times while that session is active. The end user never sees that this additional handshake is occurring but this is something that can occur periodically while the session is active.

< [Table of Contents](#top) | [References](#references) >
<a id="f"></a>
***
###### Challenge-Handshake Authentication Protocol - ``CHAP`` - Authentication
***

> Username is ``james``

> Password is ``password111`` 

- Got a client and a server:

![image.png](attachment:image.png)

The client is going to send the request saying that they would like to login with the username james:

![image.png](attachment:image.png)

Of course, this server already knows that there is a user named james and it knows the password for that particular user.

![image.png](attachment:image.png)

The server is going to take that password and combine it with a challenge - will send that challenge across the network back to the client:

![image.png](attachment:image.png)

The client will then perform exactly the same combination of the password and the challenge that the CHAP server has already calculated:

![image.png](attachment:image.png)

It’s then going to send back a response to that particular password and challenge and the challenge response hash is set over the network to the CHAP server.

![image.png](attachment:image.png)

The CHAP server then does its own calculation of the password and the challenge to see if the exact same response was to occur. 

![image.png](attachment:image.png)

Notice with CHAP we’re not sending the password in the clear across the network we’re sending either a challenge or a response to that challenge and neither of those contain the actual password.

< [Table of Contents](#top) | [References](#references) >
<a id="g"></a>
***
###### Challenge-Handshake Authentication Protocol - ``CHAP`` - Microsoft - ``MS-CHAP`` - [PPTP] - [Security Issues - DES]
***

Version of CHAP called MS-CHAP - stands for Microsoft CHAP - used commonly with Microsoft’s Point-to-Point Tunneling Protocol (PPTP). 

The most recent version of MS-CHAP is referred to as MS-CHAP V2.

Unfortunately MS-CHAP is a very old implementation of security - uses the Data Encryption Standard (DES) for encryption and that is a very weak type of encryption. Makes it very easy to brute force the relatively small number of possible keys that could be used during this connection. 

For that reason, we commonly do not use MS-CHAP or MS-CHAP V2 any longer - instead, we prefer to use L2TP, IPsec, 802.1X or some other method of secure authentication.

***
## END

< [Table of Contents](#top) >
<a id="references"></a>
***
## References
***

J. "Professor" Messer, "CompTIA Security+ (SY0-601) Course Notes," [professormesser.com](https://web.archive.org/web/20220521181010/https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/sy0-601-comptia-security-plus-course/), September 2021.

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="appendix"></a>
***
## Appendix
***

***
## END

In [1]:
from IPython.core.display import display,HTML
display(HTML("<style>.container { width:100% !important; }</style>"))

  from IPython.core.display import display,HTML


# END JUPYTER NOTEBOOK