PointtoPoint Protocol PPP Security - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

PointtoPoint Protocol PPP Security

Description:

If done, done during authentication phase of PPP's initial negotiation process. PPP Connection ... Negotiate more later. PPP. PPP Confidentiality. Optional (not ... – PowerPoint PPT presentation

Number of Views:92
Avg rating:3.0/5.0
Slides: 18
Provided by: waynes6
Category:

less

Transcript and Presenter's Notes

Title: PointtoPoint Protocol PPP Security


1
Point-to-Point Protocol (PPP) Security
  • Connecting to remote access servers (RASs)
  • PPP authentication
  • PPP confidentiality
  • Point-to-Point Tunneling Protocol (PPTP)

2
PPP
  • Point-to-Point Protocol (PPP)
  • Data link layer protocol
  • Created for dialing into a networks remote
    access server (RAS)
  • Then get access to internal resources
  • Also used for dialing into an ISP

RAS
PPP Connection
3
PPP
  • Authentication
  • Optional in PPP
  • If done, done during authentication phase of
    PPPs initial negotiation process

I am X
RAS
PPP Connection
4
PPP
  • PPP offers several authentication options
  • Password Authentication Protocol (PAP)
  • Challenge-Response Handshake Protocol (CHAP)
  • MS-CHAPMicrosoft version of CHAP
  • Extensible Authentication Protocol (EAP)
  • Not equally strong

5
PPP
  • Password Authentication Protocol (PAP)
  • Applicant sends verifier one or more PAP
    authentication request messages giving
    applicants user name and password
  • Stops sending when verifier sends an
    authentication-ACK message or sends a termination
    message

RAS
PAP Auth RQ
PAP Auth RQ
PAP Auth ACK
6
PPP
  • Password Authentication Protocol (PAP)
  • Password is sent in the clear (without
    confidentiality), so PAP is dangerous

Contains Users Unencrypted Password
RAS
PAP Auth RQ
7
PPP
  • Password Authentication Protocol (PAP)
  • Authentication is done only once, at the
    beginning of the session
  • If session is taken over by an impostor, no check
    of authentication

8
PPP
  • (CHAP) Challenge-Response Handshake Protocol
  • Verifier (RAS) sends CHAP request-authentication
    message
  • Applicant must respond with a response message

RAS
CHAP ARQ message
CHAP Resp message
9
PPP
  • CHAP
  • This may be done several times per session for
    ongoing authentication to ensure that the session
    has not been hijacked (taken over by an imposter)

10
PPP
  • CHAP
  • The applicant and verifier have a shared secret
  • Applicant adds shared secret to the request
    message, then hashes the combination to produce
    the response message

CHAP Authentication Request Message
CHAP Authentication Response Message
Shared Secret
Hash
11
PPP
Transmitted Authentication Response Message
  • CHAP
  • Verifier adds the shared secret to its request
    message, then hashes the combination
  • If this matches the transmitted response message,
    applicant knows the shared secret and so is
    authenticated

Original Authentication Request Message
Computed Authentication Response Message
Shared Secret
Hash
12
PPP
RAS
  • MS-CHAP
  • Microsoft version of CHAP
  • The shared secret is the users password for the
    remote access server (RAS)

MS-CHAP Authentication Request Message
MS-CHAP Authentication Response Message
RAS Password
Hash
13
PPP
  • MS-CHAP
  • Realistic in terms of how RASs usually work
  • Only as strong as the password, which often is
    very weak
  • Must enforce strong passwords

MS-CHAP Authentication Request Message
MS-CHAP Authentication Response Message
RAS Password
Hash
14
PPP
  • Extensible Authentication Protocol (EAP)
  • During authentication phase of initial PPP
    negotiations, merely assert that EAP will be used
  • After the negotiation phase, which is very
    limited, EAP does further negotiation on how
    authentication will be done

RAS
Agree to Use EAP Negotiate more later
15
PPP
  • PPP Confidentiality
  • Optional (not mandatory)
  • Negotiated using the PPP encryption control
    protocol during the initial negotiation phase

RAS
Confidential Message
16
PPP
  • PPP Confidentiality
  • Current options are DES-CBC and 3DES-CBC
  • Cipher block chaining (CBC) is discussed under
    IPsec in this chapter

RAS
Confidential Message
17
PPP
  • PPP Confidentiality Encapsulation
  • Encrypt the PPP frame with DES-CBC or 3DES-CBC
  • Put encrypted frame in the data field of a new
    PPP frame
  • Send frame to RAS

New PPP Header
New PPP Trailer
Encrypted PPP Frame In Data Field
Write a Comment
User Comments (0)
About PowerShow.com