RRAS Routing and Remote Access Service (Farsi User Guide)
Resource: Windows 2000 Server Resource kit Internetworking Guide

Winteacher.com > Part2 > RRAS > Step1 > PPP Authentication Protocols

PPP Authentication Protocols

ارتباط Point-to-Point  یکی از مواردی می باشد که در RAS Server استفاده می شود به همین دلیل برای اینکه Server و Client از حمله Hacker ها در امان باشند یک سری Protocol وجود دارد تا

از این دو در زمان برقراری ارتباط محافظت کند .در زیر انواع این Protocol را مشاهده می کنید .

Extensible Authentication Protocol (EAP)

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) version 1 and version 2

Shiva Password Authentication Protocol (SPAP)

Challenge Handshake Authentication Protocol (CHAP)

Password Authentication Protocol (PAP)

این Protocol ها در Server و Client متفاوت عمل می کنند .

 

حمله به شما زمانی رخ می دهد که یک فرد در Internet یک Packet را از یک Connection که با موفقیت  با سرور ارتباط برقرار کرده را تسخیر کند و یا بدست آورد سپس توسط آن Packet سعی کند که یک

Connection با RAS Server برقرارکند .

 

حمله بر روی RAS Client بگونه دیگر رخ می دهد زمانی که یک فرد یک Connection را که فعال می باشد را در دست بگیرد و صبر کند تازمانی که User توسط آن به سرور وصل شود سپس Hacker با بدست

آوردن Parameter های آن Connection شما یا User را از شبکه Disconnect کند و کنترل آن Connection را در دست بگیرد .البته با حمله کردن با یک User و Pass های متفاوت بالاخره

می تواند Password را بدست آورد . به همین دلیل می باشد که گفته می شود Password همیشه بیشتر از 8 کارکتر باشد .

 

حمله بر روی سرور بگونه کاملا متفاوت می باشد به ابن گونه که یک Computer به عنوان سرور یک RAS Client ظاهر شود و بعد از اینکه یک سرور برای بازبینی آن Client اقدام کرد کلیه Traffic آن

Client را در دست می گیرد .البته این Computer می تواند واقعا همان سرور مد نظر Client نیز باشد .

 
 
Password Authentication Protocol (PAP)

مراحل کار در این Protocol بدین صورت می باشد که در مرحله اول Client یک پیغام مبنی بر درخواست شناسایی به سرور ارسال می کند این Packet در خود User Name و Password را دارا می باشد

و هیچ کونه محافظی ندارد به همین دلیل به راحتی Hacker می تواند این Packet ها را Read کند و یا بخواند پس دارای امنیت بسیار کمی می باشد . در مرحله دوم سرور جواب می دهد که آیا User,Pass صحیح

می باشد یاخیر اگر جواب درست بود ارتباط برقرار می شود .

PAP is a simple exchange of messages:
  1. The remote access client sends a PAP Authenticate-Request message to the remote access server containing the remote access client's user name and clear text.
  2. The remote access server checks the user name and password and sends back either a PAP Authenticate-Ack message when the user's credentials are correct, or a PAP Authenticate-Nak message when the user's credentials are not correct.
Shiva Password Authentication Protocol (SPAP)

در این نوع  می توان از Encryption استفاده کرد و دارای Security بیشتر نسبت به PAP می باشد اما MS-CHAP v1,2 و CHAP از این Protocol امنیت بیشتر دارند .

مراحل کار بین سرور و Client را در زیر مشاهده می کنید .

Like PAP, SPAP is a simple exchange of messages:

  1. The remote access client sends an SPAP Authenticate-Request message to the remote access server containing the remote access client's user name and encrypted password.

  2. The remote access server decrypts the password, checks the user name and password, and sends back either an SPAP Authenticate-Ack message when the user's credentials are correct, or an SPAP Authenticate-Nak message with a reason why the user's credentials were not correct.

Challenge Handshake Authentication Protocol (CHAP)

این Protocol برای درآمیختن یک سری کد در میان Packet هایی که میان Client و Server ردوبدل می شود بوجود آمده و توسط الگوریتم MD5 نیز Packet ها را کد می کند و دارای امنیت Medium

می باشد و بسیار مورد استفاده قرار می گیرد .در این روش یک سری String کد شده بجای Password برای سرور فرستاده می شود ولی در PAP و SPAP خود Password ارسال می شد برای سرور به همین

دلیل دارای امنیت بسیار زیادی می باشد .سرور بعد از دریافت کد تشخیص می دهد که آیا Pass صحیح می باشد یا خیر .این Protocol از حمله Hacker به Client  در زمان Authentication محافظت می کند .

در CHAP درواقع Password  بصورت کد شده برای سرور ارسال می شود .

CHAP authentication is an exchange of three messages:

  1. The remote access server sends a CHAP Challenge message containing a session ID and an arbitrary challenge string.

  2. The remote access client returns a CHAP Response message containing the user name in cleartext and a hash of the challenge string, session ID, and the client's password using the MD5 one-way hashing algorithm.

  3. The remote access server duplicates the hash and compares it to the hash in the CHAP Response. If the hashes are the same, the remote access server sends back a CHAP Success message. If the hashes are different, a CHAP Failure message is sent.

CHAP protects against replay attacks by using an arbitrary challenge string per authentication attempt. However, CHAP does not protect against remote server impersonation.

CHAP requires that local or domain passwords be stored in a reversibly encrypted form. For more information, see Windows 2000 Server Help.

 
Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAP v1)

در زیر می توانید مراحل کار این Protocol را مشاهده کنید . در MS-CHAP v1 از الگوریتم MD4 استفاده می شود . تفاوت آن با CHAP در زیر کاملا شرح داده شده .

تذکر این Protocol از حمله Hacker به Client می تواند محافظت کند .

The Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAP v1) is an encrypted authentication mechanism very similar to CHAP. As in CHAP, the remote access server sends a challenge to the remote client that consists of a session ID and an arbitrary challenge string. The remote client must return the user name and a Message Digest 4 (MD4) hash of the challenge string, the session ID, and the MD4-hashed password.

One difference between CHAP and MS-CHAP v1 is that, in CHAP, the plaintext version of the password must be available to validate the challenge response. With MS-CHAP v1, the remote access server only requires the MD4 hash of the password to validate the challenge response. In Windows 2000, the user's password is stored as an MD4 hash and in a reversibly encrypted form. When CHAP is used, the remote access server decrypts the reversibly encrypted password to validate the remote access client's response.

MS-CHAP v1 authentication is an exchange of three messages:

  1. The remote access server sends an MS-CHAP Challenge message containing a session ID and an arbitrary challenge string.

  2. The remote access client returns an MS-CHAP Response message containing the user name in cleartext and a hash of the challenge string, session ID, and the MD4 hash of the client's password using the MD4 one-way hashing algorithm.

  3. The remote access server duplicates the hash and compares it to the hash in the MS-CHAP Response. If the hashes are the same, the remote access server sends back an MS-CHAP Success message. If the hashes are different, an MS-CHAP Failure message is sent.

MS-CHAP v1 also allows for error codes including a "password expired" code and password changes. MS-CHAP v1 protects against replay attacks by using an arbitrary challenge string per authentication attempt. MS-CHAP v1 does not provide protection against remote server impersonation.

If MS-CHAP v1 is used as the authentication protocol and MPPE is negotiated, then shared secret encryption keys are generated by each PPP peer. MS-CHAP v1 also provides a set of messages that allows a user to change their password during the user authentication process

 
 
 Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)

اما MS-CHAP v2 مهمترین و کامل ترین Protocol می باشد که در Windows 2000 برای امنیت در زمان Authentication وجود دارد .بسیار قوی تر از Version 1 خود عمل می کند واز همه

مهمتر این می باشد که از حمله Hacker همزمان به Server وClient محافظت می کند . مراحل کار آن را در زیر مشاهده می کنید . در این نوع هم سرور باید Client را شناسایی کند هم Client باید سرور را

را شناسایی کند .

Windows 2000 includes support for Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) that provides stronger security for remote access connections. MS-CHAP v2 offers the additional security features:

  • LAN Manager encoding of responses and password changes is no longer supported.

  • Two-way authentication verifies the identity of both sides of the connection. The remote access client authenticates against the remote access server and the remote access server authenticates against the remote access client. Two-way authentication, also known as mutual authentication, ensures that the remote access client is dialing into a remote access server that has access to the user's password. Mutual authentication provides protection against remote server impersonation.

  • Separate cryptographic keys are generated for transmitted and received data.

  • The cryptographic keys are based on the user's password and the arbitrary challenge string. Each time the user connects with the same password, a different cryptographic key is used.

MS-CHAP v2 authentication is an exchange of three messages:

  1. The remote access server sends an MS-CHAP v2 Challenge message to the remote access client that consists of a session identifier and an arbitrary challenge string.

  2. The remote access client sends an MS-CHAP v2 Response message that contains:

    • The user name.

    • An arbitrary peer challenge string.

    • An Secure Hash Algorithim (SHA) hash of the received challenge string, the peer challenge string, the session identifier, and the MD4-hashed version of the user's password.

  3. The remote access server checks the MS-CHAP v2 Response message from the client and sends back an MS-CHAP v2 Response message containing:

    • An indication of the success or failure of the connection attempt.

    • An authenticated response based on the sent challenge string, the peer challenge string, the client's encrypted response, and the user's password.

  4. The remote access client verifies the authentication response and if it is correct, uses the connection. If the authentication response is not correct, the remote access client terminates the connection.

Extensible Authentication Protocol (EAP)

این ارتباط از نوع Point-to-Point می باشد .در MS-CHAP و SPAP شما در زمان شروع به کار Connection باید شناسایی شوید و دیگر در مدت زمان ارتباط شناسایی نمی شوید . و لی در EAP شما قبل

از ارتباط شناسایی نمی شوید بلکه در مدت زمان کار Connection شناسایی می شوید . در واقع زمانی که یک ارتباط برقرار شد دیگر هیچ User یا Computer به غیر از شما نمی تواند به این Connection

دسترسی داشته باشد .

برای مشخص شدن مطلب به عنوان مثال یک Client برای برقراری ارتباط با یک سرور باید به یک سری سوالات مورد نظر Server جواب دهد این سری سوالات اگر کاملا جواب داده شد ارتباط برقرار می شود .

EAP دارای نوع های متفاوتی می باشد که سوالات در هر نوع متفاوت می باشد . این سوال ها می تواند نام سیستم نام User و PIN Personal Identification Number و غیره باشد .PIN بیشتر برای

محافظت از یک SIM Card و یا یک Smart Card استفاده می شود .Smart Card یک کارت می باشد به عنوان یک شناسه برای User که انواع آن در بازار موجود می باشد این کارتها می توانند مانند کارت

شبکه Internal بر روی سیستم نصب شوند و یا به صورت External  از طریق USB به سیستم وصل شوند و استفاده شود این نوع Authentication Method دارای امنیت بسیار زیادی می باشد .

زمان شناسایی یک فرد سرور به سریال کارت توجه می کند و یک سری موارد دیگر.انواع این Protocol عبارتند از EAP-MD5 و EAP-TLS که در زیر سعی شده توضیح لازم در مورد آنها داده شود .

 

The Extensible Authentication Protocol (EAP) is an extension to PPP that allows for arbitrary authentication mechanisms to be employed for the validation of a PPP connection. With PPP authentication protocols such as MS-CHAP and SPAP, a specific authentication mechanism is chosen during the link establishment phase. Then, during the connection authentication phase, the negotiated authentication protocol is used to validate the connection. The authentication protocol itself is a fixed series of messages sent in a specific order.

With EAP, the specific authentication mechanism is not chosen during the link establishment phase. Instead, each PPP peer negotiates to perform EAP during the connection authentication phase. Once the connection authentication phase is reached, the PPP peers must first negotiate the use of a specific EAP authentication scheme known as an EAP type. Once the EAP type is agreed upon, EAP allows for an open-ended conversation between the remote access client and the remote access server that can vary based on the parameters of the connection. The conversation consists of requests for authentication information and the responses. The length and detail of the authentication conversation is dependent upon the EAP type.

For example, when EAP is used with security token cards, the remote access server could separately query the remote access client for a name, PIN, and card token value. As each query is asked and answered, the user passes through another level of authentication. When all questions have been answered satisfactorily, the user is authenticated and permitted access to the network.

The use of EAP is negotiated during LCP negotiation by specifying the authentication protocol LCP option (type 3) and the authentication protocol 0xC2-27. Once LCP negotiation is complete, EAP messages use the PPP Protocol ID of 0xC2-27. Windows 2000 includes support for the EAP-MD5 and EAP-TLS EAP types.

Architecturally, EAP is designed to allow authentication plug-in modules at both the client and server ends of a connection. By installing an EAP type library file on both the remote access client and the remote access server, a new EAP type can be supported. This presents vendors with the opportunity to supply a new authentication scheme at any time. EAP provides the highest flexibility in authentication uniqueness and variations.

 
EAP-MD5

در این نوع سرور همانند CHAP عمل می کند و از طریق الگوریتم MD5 نام User وPassword را برای سرور بصورت کد شده ارسال می کند مراحل کار را در زیرمشاهده می کنید .

 

EAP-MD5 is the CHAP authentication mechanism used within the EAP framework. Rather than negotiating to perform MD5 authentication during the link establishment phase, the authenticator and peer negotiate to do EAP during the connection authentication phase.

Once the connection authentication phase is reached, the following process verifies the client:

  1. The authenticator sends an EAP-Request message requesting the identity of the client.

  2. The client sends its user ID to the authenticator as an EAP-Response message.

  3. The authenticator sends an EAP-Request message containing the MD5 challenge string.

  4. The client sends the MD5 hash of its user ID and password to the authenticator as an EAP-Response message.

  5. If the response is proper, the authenticator sends a Success message to the client.

EAP-MD5 is a required EAP type and can be used to test EAP interoperability. Like, CHAP, EAP-MD5 requires that local or domain passwords be stored in a reversibly encrypted form. For more information, see Windows 2000 Server Help.

 
EAP-TLS

این نوع همانند SSL عمل می کند و برای برقراری ارتباط Secure بین دوApplication مانند IE استفاده می شود .تذکر ارتباط از طریق TLS دو طرفه می باشد یعنی سرور باید Client را شناسایی کند و Client

نیز باید Server را شناسایی کند و دارای امنیت بیشتری نسبت به EAP-MD5 می باشد .

 

The Transport Layer Security (TLS) protocol, based on the Secure Sockets Layer, allows applications to communicate securely. TLS provides authentication (user and data), data integrity, and data confidentiality services. To achieve these services, TLS specifies a framework that allows the following:

  • Client and two-way authentication using symmetric or asymmetric encryption.

  • Negotiation of the specific encryption algorithm (the cipher-suite).

  • Secured exchange of encryption keys to be used for encrypting messages.

  • Message integrity and user authentication using a message authentication code.

For more information about the details of TLS, see RFC 2246. For more information about EAP-TLS, see RFC 2716.

EAP-TLS is the use of TLS during the establishment of a PPP connection. With EAP-TLS, mutual authentication between the PPP client and the authenticator is done through the exchange and verification of certificates. The client attempting the connection sends a user certificate, and the authenticator sends a machine certificate.

EAP-TLS is only supported on Windows 2000 Server remote access server computers that are a member of a Windows 2000 mixed or native domain. Stand-alone Windows 2000 remote access servers do not support EAP-TLS.

 
Unauthenticated Connections

 WINDOWS 2000 Server یک روش دیگر را برای برقراری ارتباط بدون چک کردن Client را پشتیبانی می کند در این روش نه سرور Client را شناسایی می کند  و نه Client سرور را شناسایی می کند

از این روش نیز می توان در WAN استفاده کرد . از دو روش زیر می توان در این مورد استفاده کرد .

There are two common cases where unauthenticated connections are desired:

  1. When using Automatic Number Identification/Calling Line Identification (ANI/CLI) authentication, the authentication of a connection attempt is based on the phone number of the caller. ANI/CLI service returns the number of the caller to the receiver of the call and is provided by most standard telephone companies.

    ANI/CLI authentication is different from caller ID authorization. In caller ID authorization, the caller sends a valid user name and password. The caller ID that is configured for the dial-in property on the user account must match the connection attempt; otherwise, the connection attempt is rejected. In ANI/CLI authentication, a user name and password are not sent.

  2. When using guest authentication, the Guest account is used as the identity of the caller

RRAS Routing and Remote Access Service (Farsi User Guide)

LastUpdate:2005/04/05

Winteacher.com > Part2 > RRAS > Step1 > PPP Authentication Protocols