22     Chapter 1 • General Security Concepts: Access Control, Authentication, and Auditing

                 CHAP is used to periodically verify the identity of the peer using a three-way
             handshake.This is done upon initial link establishment, and may be repeated any-
             time after the link has been established.

                  1. After the link establishment phase is complete, the authenticator sends a
                      “challenge” message to the peer.

                  2. The peer responds with a value calculated based on an ID value, a random
                      value, and the password using a “one-way hash” function such as MD5.
                  3. The authenticator checks the response against its own calculation of the
                      expected hash value. If the values match, the authentication is acknowl-
                      edged; otherwise the connection should be terminated.

                  4. At random intervals, the authenticator sends a new challenge to the peer,
                      and repeats steps 1 to 3.
                 CHAP operates in conjunction with PPP to provide protection of the creden-
             tials presented for authentication, and to verify connection to a valid resource. It
             does not operate with encrypted password databases, and therefore is not as strong a
             protection as other levels of authentication.The shared secrets may be stored on
             both ends as a cleartext item, making the secret vulnerable to compromise or
             detection. CHAP may also be configured to store a password using one-way
             reversible encryption, which uses the one-way hash noted earlier.This provides
             protection to the password, because the hash must match the client wishing to
             authenticate with the server that has stored the password with the hash value.
             CHAP is better than Password Authentication Protocol (PAP), however, since PAP
             sends passwords across the network in cleartext.

             Certificates

             Certificates are created by a trusted third party called a Certification Authority (CA),
             which may also be called a Certificate Authority. CAs are systems that create, dis-
             tribute, store, and validate digitally created signature and identity verification infor-
             mation about machines, individuals, and services.This CA may be a commercially
             available service point, such as Verisign or Thawte.A CA can also be created within
             an enterprise to manage and create certificates that are used only within an organi-
             zation or with trusted partners.A certificate from a reputable provider indicates that
             the server being accessed is legitimate. CAs may also grant certificates for software
             signing.This process indicates to the individual downloading the software that it has
             been manufactured or written by the specified individual or company.The path for




          www.syngress.com