PPP Authentication Protocols
Other versions of this page are also available for the following:
.gif "A hyphen indicates that the information in this topic is not relevant for this platform, or that the platform does not support the API that is listed.")
.gif "A checkmark indicates that the information in this topic is relevant for this platform, and that any API listed is also supported on this platform.")
8/28/2008
The Windows Embedded CE implementation of PPP supports the following authentication protocols:
- Password Authentication Protocol (PAP)
- Challenge Handshake Authentication Protocol (CHAP)
- Microsoft Challenge-Handshake Authentication Protocol (Microsoft CHAP)
- Microsoft Challenge Handshake Authentication Protocol version 2.0 (Microsoft CHAP V2)
- Extensible Authentication Protocol - Transport Level Security (EAP-TLS)
- Protected Extensible Authentication Protocol (PEAP)
Password Authentication Protocol (PAP)
PAP is a simple, clear text authentication scheme. The network authentication server (NAS) requests the user name and password, and PAP returns them in clear text (unencrypted). This authentication scheme is not secure because a third party could capture the user's name and password and use it to get subsequent access to the NAS and all of the resources provided by the NAS. PAP provides no protection against replay attacks or remote client impersonation once the user's password is compromised.
Microsoft Challenge-Handshake Authentication Protocol (Microsoft CHAP)
Microsoft CHAP is an encrypted authentication mechanism very similar to CHAP. As in CHAP, the NAS sends a challenge, which consists of a session ID and an arbitrary challenge string, to the remote client. The remote client must return the user name and an MD4 hash of the challenge string, the session ID, and the MD4-hashed password. This design, which manipulates a hash of the MD4 hash of the password, provides an additional level of security to CHAP because it allows the server to store hashed passwords instead of clear-text passwords. Microsoft CHAP also provides additional error codes, including a password expired code, and additional encrypted client-server messages that permit users to change their passwords. In the Microsoft implementation of Microsoft CHAP, both the Client and NAS independently generate an initial key for subsequent data encryption by MPPE. The last point is very important, as it explains why Microsoft CHAP authentication is required to enable MPPE-based data encryption.
CHAP and Microsoft CHAP V2 are supported by both PPP and Extensible Authentication Protocol (EAP); TLS and PEAP are supported only when PPP uses EAP. For more information about these protocols, see EAP Authentication Protocols.
See Also
Concepts
Other Resources
Extensible Authentication Protocol
EAP Authentication Protocols