Objective 6.4: User Authentication

From Wikibooks, open books for an open world
Jump to navigation Jump to search

Objective 6.4: Explain methods of user authentication

PKI (Public Key Infrastructure)[edit]

The Public Key Infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates. PKI is an arrangement that associates a public key with a user's identity by means of a certificate authority (CA). The user's identity must be unique for each CA. The binding is established through the registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision. The PKI role that assures this binding is called the Registration Authority (RA). For each user, the user's identity, the public key, and their association with each other are made transparent in public key certificates issued by the CA.


Kerberos is the name of a computer network authentication protocol, which allows individuals communicating over an insecure network to prove their identity to one another in a secure manner, and also a suite of free software published by Massachusetts Institute of Technology (MIT) which implements this protocol. Its designers aimed primarily at a client-server model, and it provides mutual authentication — both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping or replay attacks.

AAA (Authentication, Authorization, and Accounting)[edit]

RADIUS (Remote Authentication Dial In User Service)[edit]

Remote Authentication Dial In User Service (RADIUS) is an AAA (authentication, authorization and accounting) protocol for applications such as network access or IP mobility. It is intended to work in both local and roaming situations.

TACACS+ (Terminal Access Control Access Control System+)[edit]

Network access control[edit]

IEEE 802.1x[edit]

CHAP (Challenge Handshake Authentication Protocol)[edit]

CHAP is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. CHAP periodically verifies the identity of the client by using a three-way handshake. This happens at the time of establishing the initial link, and may happen again at any time afterward. The verification is based on a shared secret (such as the client user's password).

MS-CHAP (Microsoft Handshake Authentication Protocol)[edit]

MS-CHAP is the Microsoft version of the Challenge-handshake authentication protocol, CHAP.

Compared with CHAP, MS-CHAP:

  • provides an authenticator-controlled password change mechanism
  • provides an authenticator-controlled authentication retry mechanism
  • defines failure codes returned in the Failure packet message field

MS-CHAPv2 provides mutual authentication between peers by piggybacking a peer challenge on the Response packet and an authenticator response on the Success packet.

EAP (Extensible Authentication Protocol)[edit]

Extensible Authentication Protocol, or EAP, is a universal authentication framework frequently used in wireless networks and Point-to-Point connections. It is defined by RFC 3748. Although the EAP protocol is not limited to wireless LANs and can be used for wired LAN authentication, it is most often used in wireless LANs. Recently, the WPA and WPA2 standard has officially adopted five EAP types as its official authentication mechanisms.

« Network Security
Objective 6.4: User Authentication
Objective 6.3: Network Access Security Objective 6.5: Device Security