Network Sales and Services Handbook (Cisco Press Networking Technology)
Authentication is the first major component of a VPN. Authentication is the process of identifying the entity (user, router, or network device) requiring access. This authentication is often done by means of a cryptographic function, such as with challenge/response algorithms; for example, "I ask you a question and you give me the right answer."
The following sections discuss the other authentication methods:
Point-to-Point Tunneling Protocol Password Authentication Protocol/Challenge Handshake Protocol (PPTP-PAP/CHAP)
Digital certificates
Smart cards and hardware tokens/PKCS #11
RADIUS servers
Terminal Access Controller Access Control System Plus (TACACS+)
NOTE
PKCS #11 is Public-Key Cryptography Standard (PKCS) #11, defining a technology-independent programming interface called Cryptoki for cryptographic devices such as smart cards and PCMCIA cards. |
PPTP-PAP/CHAP
Password Authentication Protocol (PAP) is the most insecure authentication method available today because both the username and password are sent across the link in clear text. Anyone monitoring the connection could collect and use the information to gain access to the network.
NOTE
Using PAP for authentication is not advisable. |
The Challenge Handshake Authentication Protocol (CHAP) works as follows:
The client establishes a connection with the server and the server sends a challenge back to the client.
The client then performs a hash (mathematical) function, adds some extra information, and sends the response back to the server for verification.
The server looks in its database and computes the hash with the challenge.
If these two answers are the same, authentication succeeds.
While CHAP eliminates a dictionary attack, the hashing functions could still be attacked. CHAP also supports the (user transparent) periodic challenge of the client username/password during the session to protect against wire-tapping.
Technical Note: Dictionary Attacks
A dictionary attack is a threat to all passwords. An attacker obtaining some password-derived data, such as a hashed-password, performs a series of computations using every possible guess for the password; a brute-force attack. Because passwords are small by cryptographic standards, the password often can be determined by this brute-force method. Depending on the system, the password, and the skills of the attacker, such an attack can be completed in days, hours, or a few seconds. The term dictionary attack initially referred to finding passwords in a specific list, such as an English dictionary. Today, a brute-force approach can compute common passwords, such as all five-letter combinations, on-the-fly instead of using a pre-built list. Because these threats are equivalent, the term dictionary attack is used in the broader sense to include all brute-force attacks. |
Digital Certificates
Digital certificates include information about the owner of the certificate; therefore, when users visit the (secured) web site, their web browsers will check information on the certificate to see whether it matches the site information included in the URL. A digital certificate could be likened to a security driver's license.
NOTE
Certificates are issued by Certificate Authorities (CAs). |
The contents of a digital certificate are shown here:
The certificate holder's identity
The certificate's serial number
A valid, unchangeable date for the transaction
The certificate's expiration dates
A copy of the certificate holder's public key for encryption and/or signature
Group name
City and state
Smart Cards and Hardware Tokens/PKCS #11
Smart cards are credit card-sized plastic cards with small chips embedded in them to store user information. Smart cards provide data portability, security, and convenience. A smart card is an access control device supporting different applications; it allows users to access personal and business data.
Like smart cards, hardware tokens are tamper-resistant, credit-card sized or smaller devices (a type of smart card) that users hold in their possession. An LCD on the card consists of six to eight digits, often changing every 60 seconds.
NOTE
The term software token identifies an application emulating a hardware token device. |
RADIUS servers
Remote Authentication Dial-In User Service (RADIUS) is a distributed system securing network remote access and network resources against unauthorized access.
RADIUS authentication includes two components:
Authentication server Installed at the customer's site and holds all user authentication and network access information
Client protocols RADIUS works on the client sending authentication requests to the RADIUS server, and the client acts on server acknowledgements sent back to the client.
NOTE
RADIUS is not limited to dial-up service; many firewall vendors support a RADIUS server implementation. |
TACACS+
With Terminal Access Controller Access Control System Plus (TACACS+), when the user attempts to log in, the network access server (NAS) asks the security server what to do instead of forwarding the name/password to some central server. The security server tells the network access server to initiate a command, such as prompt for the username/password. After the username/password combination has been entered, the TACACS+ server sends a permit or deny message to the NAS.
NOTE
Cisco Systems developed the TACACS+ protocol. |