Chapter 14 - 05 - Discuss Other Applications of Cryptography - 01_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Cryptography Module @ Discuss Cryptographic Security Techniques Cryptography Flow O Discuss Various Cryptographic Algorithms : Discuss Various Hash Functions and Cryptography Tools Discuss PKI and Certificate Management Concepts Discuss Other Applications of Cryptography Discuss Other Applications of Cryptography This section discusses other important applications of cryptographic techniques. Module 14 Page 1731 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography Authentication Protocols: Password Authentication Protocol (PAP) It is the most basic form of authentication Username and password are transmitted over a network and the server evaluates them against the credentials stored in its local database table Passwords stored in the table are encrypted, however the transmission of the passwords are in clear text and unencrypted. This is the main weakness with PAP. The Basic Authentication feature built into the HTTP protocol uses PAP.. ‘ Username and password is sent in clear text.................................................................... Remote PC If the username and password are valid, client is authenticated Server Authentication Protocols: Password Authentication Protocol (PAP) Password Authentication Protocol (PAP) is the simplest form of authentication. With PAP, username and password are transmitted over a network and the server evaluates them against the credentials stored its local database table. Typically, the passwords stored in the table are encrypted; however, the transmission of the passwords are in cleartext and unencrypted. This is the main weakness with PAP. The Basic Authentication feature built into HTTP uses PAP. Username and password is sent in clear text l.l.ll.l.l..Il-I.lll..lIll.l'l'lI.l...'l..l.l..l.l.l.ll..'ll..l-) i — e | S S St i T S35 Remote PC === A | (l.ll.lllll..ll.l..l.llll..llll...'lll'l...llllllIlIl-l.-.ll.I.ll If the username and password are valid, client is authenticated Server Figure 14.49: Working of PAP Module 14 Page 1732 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography Authentication Protocols: Shiva Password Authentication Protocol (S-PAP) o1 Proprietary version of PAP 02 Most experts consider SPAP somewhat more secure than PAP because both username and password are encrypted before being transmitting over the network B o Username and password are sent encrypted. if the username and password are valid, client is authenticated Remote PC Server Authentication Protocols: Shiva Password Authentication Protocol (S-PAP) Shiva Password Authentication Protocol (SPAP) is an extension to PAP that does encrypt the username and password that is sent over the Internet. SPAP is a proprietary version of PAP. Most experts consider SPAP somewhat more secure than PAP. This is because both username and password are encrypted before being transmitting over the network, unlike PAP which sends them in cleartext. Username and password are sent encrypted T T PP P TP P T TR LIS = If the username and password are valid, client is authenticated Server Remote PC Figure 14.50: Working of S-PAP Module 14 Page 1733 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography Challenge-Handshake Authentication Protocol (CHAP) After Link Establishment phase, the authenticator sends a "challenge” message to the peer The peer responds with a value calculated using a "one- way hash" function The authenticator checks the response against its own calculation of the expected hash value o If the values match, the authentication is acknowledged o If not, the connection should be terminated At random intervals, the authenticator sends a new challenge to the peer, and repeats steps 1 to 3 Copyright © by EC-C 1. All Rights Reserved, ReproductionIs Strictly Prohibited. Challenge-Handshake Authentication Protocol (CHAP) Challenge-Handshake Authentication Protocol (CHAP) calculates a hash soon after the user gets logged in, then it shares that hash with the client system. Periodically, the server will ask the client to provide that hash (this is the challenge part). If the client cannot, then it is clear that the communication has been compromised. MS-CHAP is a Microsoft-specific extension to CHAP. The process for CHAP is as follows: 1. After the link establishment phase is complete, the authenticator sends a “challenge” message to the peer. 2. The peer responds with a value calculated using a hash function. 3. The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise, the connection is terminated. 4. At random intervals, the authenticator sends a new challenge to the peer, and repeats steps 1to 3. Example of CHAP: MS-CHAP v2 Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) is the successor of MS-CHAP v1 and CHAP developed by Microsoft for handling authentication. MSCHAP v2 uses Point-to-point Tunneling Protocol version 3 (PPTPv3) for password authentication in RADIUS servers and PPTP-based VPNs; it is further employed as the authentication method in Protected Extensible Authentication Protocol (PEAP). The MS-CHAPv2 implementation includes some new features such as a mutual validation mechanism between peers and a password changing feature for expired passwords in RADIUS servers. Microsoft has recommended implementing or upgrading to MS-CHAP v2 encapsulated with PPTP to protect VPNs running in a nonsecure channel. Module 14 Page 1734 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.