Password Authentication Protocol (PAP) Security Explained
PAP, or password authentication protocol, is a point-to-point protocol (PPP) authentication method that uses passwords to validate users. It is an internet standard (RFC 1334), password-based authentication protocol.
Using PAP, data is not encrypted. It is sent to the authentication server as plain text. PAP uses a two-way handshake to authenticate users based on their provided username and password.
When used in PPP, the password authentication protocol is considered a weak authentication scheme. Since data is unencrypted, it is vulnerable and visible to a bad actor who is able to view the PPP session.
Using CHAP (challenge-handshake authentication protocol) can add an extra layer of security to the PPP session by adding a three-way handshake process. PAP is a standard login procedure used as a PPP method for authenticating users.
Understanding PAP security (password authentication protocol)
A PPP authentication method, password authentication protocol is a password-based, client-server authentication protocol. It is easy to implement and a simple authentication method.
Using a two-way handshake, PAP authenticates users in two steps, which are as follows:
- The user, or client, attempting to establish a PPP session with the server sends a username and password to the server through an authentication-request packet.
- When the server is listening to requests, it will accept these credentials and verify that they match what is stored in the system. When a match is verified, an authentication-ack response packet is sent back to the user and the server will establish the PPP session between the server and user. If the credentials do not match, the PPP session is not established and an authorisation-nak response packet is sent back to the user.
The password authentication protocol sends data in plain text, which can then be vulnerable to packet sniffer attacks where bad actors intercept network traffic, are able to view the PPP session, and can steal usernames and passwords. There are ways to send PAP authentication requests through encrypted channels, but alternative methods such as CHAP are often used instead.
Where PAP is used
With PAP, instead of the server sending a login request prompt and then waiting for the user to respond, the username and password are sent to a remote access server in an LCP (link control protocol) packet. Some uses for PAP include the following:
- Instances where CHAP is not supported (not all software supports CHAP)
- When simulating a login at a remote host requiring a simple plaintext password to be available
- In the event of inconsistency issues, such as when different vendors have varied implementations of CHAP
Difference between PAP & CHAP
PAP uses a two-way handshake process where the client sends their credentials to the server, the server verifies them, and the user is authenticated. CHAP uses a three-way handshake process. This adds an extra layer of security in the authentication process over password authentication protocol, helping to protect credentials from bad actors.
CHAP was created to address security vulnerabilities within the PAP point-to-point authentication method.
Unlike PAP, CHAP does not send the password across the network. Instead, CHAP uses cryptographic methods, which include the use of an encrypted hash for which both the server and client have the secret key.
CHAP can also be set up to run authentications repeatedly mid-session to keep threat actors from picking up a P