What is CHAP (Challenge Handshake Authentication Protocol)?
Challenge Handshake Authentication Protocol, or CHAP, is an encryptedauthentication scheme in which the unencrypted password is not transmittedover the network. Challenge Handshake Authentication Protocol (CHAP) is one ofseveral authentication schemes used by the Point-to-Point Protocol (PPP), aserial transmission protocol for wide area network (WAN) connections. Otherauthentication schemes supported by PPP include Password AuthenticationProtocol (PAP), Shiva Password Authentication Protocol (SPAP), and MicrosoftChallenge Handshake Authentication Protocol (MS-CHAP). PAP is a widely implemented authentication protocol, but CHAP is more securethan PAP because CHAP encrypts the transmitted password, while PAP does not.SPAP and MS-CHAP are vendor-specific implementations.
What is MS-CHAP (Microsoft Challenge Handshake Authentication Protocol)?
MS-CHAP is an encrypted authentication scheme used in wide area network (WAN)communication. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)is supported by the Point-to-Point Protocol (PPP) used by the Remote AccessService (RAS) of Microsoft Windows NT, and the Point-to-Point TunnelingProtocol (PPTP) used by the Routing and Remote Access Service (RRAS) ofWindows NT Service Pack 4 and later and by Windows 2000 and Windows 98.
An Overview of Secure Communication Protocols
There are hundreds of communication protocols that define rules for differentmachines exchanging information. These rules can be the syntax, semantics anderror detection of the data packets. They ensure the successful transmissionof data between multiple entities (computers/servers/networks). The partiesinvolved in the communication process have to agree with each other so thatthe message can pass through from one entity to another. The differenthardware, software, and other devices used in this communication chain make ita sophisticated mission to coordinate issues ranging from interoperability andmulti-vendor support to logical addressing. The open systems interconnection(OSI) model was initially developed to break down the problems and assign theduties to seven different layers in network communication (physical, datalink,network, transport, session, presentation, and application). The OSI modelpaved the way to the creation of the four-layered transmission controlprotocol and Internet protocol (TCP/IP) model (network access, Internet,transport, and application). The TCP/IP model is the foundation of practicaland workable protocols for computers and networks to interact.The TCP/IP model is the industry standard today with over 30 years of history.All operation systems support and operate with TCP/IP protocols nowadays. TheTCP/IP protocol combination is therefore known as “the language of theInternet.” As the user population of the Internet grows, the need for securecommunication rises greatly. Government institutions and companiesincreasingly adopt online communication systems to facilitate activities suchas payment, identification, and application, to name a few. Communicationprotocols between two computers are thus indispensable to safeguard computernetworks for these digital activities. The following protocols are several keyexamples developed for secure communication on the transport layer of both theOSI and the TCP/IP models:
Secure Sockets Layer (SSL)
Nowadays, computer servers and networks are required to handle more and morecomplex online activities. The data during the transmission pathway can riskcyberattacks such as wiretapping and spoofing. If the user sends sensitiveinformation such as a credit card number and the connection between the senderand receiver is intercepted, the attacker can seize this information and useit. One effective method to protect this data delivery process is encryption.SSL is a popular encryption solution that provides session and live connectionsecurity between two or more parties. It has three objectives: privacyprotection, identity authentication, and reliability. In order to achievethem, SSL adopts a hybrid encryption methodology (symmetric and asymmetric) tosecure the communication between two computers based on the RSA, Diffie-Hellman, or Fortezza/DMS cryptography approach. Firstly, the web browserdelivers a request for identification to the web server using asymmetricencryption. The web server replies with a certified authority (CA) digitalcertificate. In this process, both sides exchange several messages tonegotiate the exchange of keys. Once the web browser recognizes the identityof the web server via the CA, they will establish a symmetric encryptedconnection to exchange information. Secure HTTP or HTTPS is an applicationexample of SSL. The address bar of the web browser provides hints, such as alock icon or green bar, to inform the users about the security connectionstatus. A similar protocol to SSL is the simple key-management for internetprotocol (SKIP). The difference between SKIP and SSL is that the former usesan established static secret table to calculate the keys to directly set upthe subsequent secure connection while the latter requires prior communicationto generate the key. SKIP was developed by Sun Microsystems in 1995.
Transport Layer Security (TLS)
TLS always goes hand in hand with SSL in the form of SSL/TLS. In fact, TLS isthe successor of SSL. The framework of TLS remains substantially the same asSSL, but with several key differences. First, TLS operates on the applicationlayer of the OSI model and the transport layer of TCP/IP model. Second, thefinal version of SSL stops at SSL v.3.0 and the following upgrade is renamedTLS v.1.0. It is important to bear these two issues in mind when it comes todebug and troubleshoot encryption problems related to TLS. In addition, TLSadopts the keyed-hash message authentication code (HMAC) encryption standardto generate the key and authenticate messages. Fortezza encryption used in SSLis no longer supported in TLS. In addition, there are more alert messages inTLS than SSL. TLS has 23 alert descriptions while SSL has 12. Most important,TLS introduces the TLS handshake protocol, which permits the client and serverto authenticate each other before exchanging any data.
swIPe IP Security Protocol (swIPe)
The protocol of swIPe is an experimental internet protocol security (IPsec)suggested in 1993. It is developed to provide end-to-end data communication.It encapsulates each IP datagram in the communication with a swIPe packetprotocol 53 to enhance the cryptography strength. The objectives of swIPe wereto ensure authentication, integrity, and confidentiality of IP datagrams onthe network layer. It was not developed to manage keys and other policies thatoccur in the communication process. Another protocol with the same datagramencryption purpose is the encapsulating security payload (ESP).
Secure Remote Procedure Call (S-RPC)
S-RPC is a secure client-server protocol operating on the application layer ofthe OSI and TCP/IP models. Many computer applications perform interactively onthe basis of request and response between the client and server on thenetwork. For example, the program on the client side requests a service, data,and other resources from the program on the server side. Then the serveranswers the request of the client and a synchronous interaction is establishedfor both parties. This interactive operation is the remote procedure call(RPC). The client-server operation suspends when the runtime is over. In a RPCimplementation scenario, instead of encrypting the data traffic, effectivelyauthenticating the client is more important. Hence, the principle of S-RPC isto produce public and private keys to clients and servers for authentication.The key generation is based on Diffie-Hellman.
Secure Electronic Transaction (SET)
SET is a set of protocols specifically developed to secure online financialtransaction. It primarily protects credit card transactions among purchasers,merchants, and banks. The early supporters of SET were financial and webbrowser service providers such as Mastercard, Visa, Microsoft, and Netscape.SET provides a digital certificate as a sort of digital wallet for each partyto ensure the transaction confidentiality. Each certificate has a uniquepublic key for their identity verification. All the data communicated via SETamong the three parties are encrypted so none of them can access the sensitiveinformation. SET is highly popular for e-commerce today. The fact that Set isendorsed by Mastercard and Visa further augments its credibility.There are hundreds of protocols working on various levels of the OSI andTCP/IP network model. SSL, TLS, SET, SKIP, swipe, and S-RPC are some of thekey protocols that can facilitate the understanding of other communicationprotocols.
An Overview of Authentication Protocols
The mechanism of secure communication protocols has a substantial emphasis onthe process of authentication. It is important not to mix up authenticationwith authorization. The former identifies the individual or organization viausername, password, and other devices. The later refers to the access right ofthe identified individual. Authentication is a decisive step above all else.Terabytes of accurate and credible information about individuals and financialtransactions circulate on the Internet every second these days. Identity theftand forging authentication information in cyberspace can generate considerableimpact to the victim. Thus, authentication protocols play the role of guardianin denying access to malicious actors. The following three examples are point-to-point (PPP) authentication protocols:
Password Authentication Protocol (PAP)
PAP is an old and static secure communication protocol using plain-textpasswords without encryption. It establishes the client/server connection atthe beginning of communication. The security level of PAP is the lowestcompared to the other two authentication protocols because it uses plain-textpasswords. PAP is also incapable of changing the password duringauthentication once it expires. It is used in situations and systems whereencrypted passwords are now supported; for example, some non-Windows operationsystems and serial line internet protocol (SLIP) servers. It is vulnerableagainst the most elementary attacks like man-in-the-middle (MiM).
Challenge Handshake Authentication Protocol (CHAP)
CHAP is a superior authentication protocol vis-à-vis PAP. It adopts a three-way handshake verification approach to implement encrypted authentication.Moreover, the authentication is encrypted by the MD5 hashing industrystandard. The authenticating side begins the process by delivering a challengestring to the client side. The latter then generates a one-way hash value onthe challenge. The authentication is acknowledged accordingly by theauthenticating side. CHAP repeats again the same authentication stepsregularly with a different challenge value. In this way, this mechanism cansuccessfully protect the authentication process against playback attacks.
Extensible Authentication Protocol (EAP)
EAP can be applied beyond PPP to wireless networks. The user requests aconnection through an access point on a wireless network. The identity of theuser is examined and transmitted to the authentication server. Upon receivingthe information, the authentication server asks the access point to provideproof of the user’s identity. As long as the access point can respond to theauthentication server with the proof, the user will be connected to thenetwork. EAP is an effective client-server authentication framework.Therefore, there are many versions of EAP, depending on the authenticationmethod. Some examples of EAP method are EAP-MD5, EAP-TLS and EAP-TTLS. It alsosupports multiple authentication mechanisms ranging from token cards,smartcards, and one-time passwords to public key authentication. It permitsthird-party vendors to create custom authentication schemes. Some concreteexamples are retina scans, voice recognition, and fingerprint identification.The challenges of authentication require better and more exhaustive encryptionapproaches.