Authentication protocol evolution timeline:
Authentication protocol evolution.
- PAP standardized in 1992 by way of IETF Request for Comments 1334. Used for Point-to-Point Protocol (PPP) authentication methods,
- CHAP August 1996
- MS-CHAP 1996
- EAP introduced in 1996 as an extension to the Point-to-Point Protocol (PPP).
- EAP-MSCHAPv2 (MS in 1999)
- LEAP - 2000 Cisco for wireless
- EAP-TLS Year 2000 Microsoft and Cisco contributed but it is open standard protocol
- EAP-TTLS introduced by Funk Software in 2001
- LEAP- was introduced by Cisco Systems in 2003. FAST Lightweight Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling)
- PEAP (potected EAP) - created by RSA, MS and Cisco in 2003
- EAP-GTC (Generic Token Card) Cisco Systems in 2004.
- TEAP (Tunneled Extensible Authentication Protocol) was introduced by Cisco Systems in 2007.
EAP Chaining:
- EAP (Extensible Authentication Protocol) chaining refers to a method of using multiple EAP methods sequentially during the authentication process.
- In EAP chaining, each EAP method used in the chain performs a specific authentication task, such as user authentication, key exchange, or certificate validation. The output of one EAP method serves as input to the next EAP method in the chain.
EAP type:
There are two types of EAP Native EAP and Tunneled EAP.
- Native
- EAP-MD5 (Extensible Authentication Protocol - Message Digest 5) was introduced in 1996
- EAP-TSL (Extensible Authentication Protocol-Transport Layer Security)
- EAP-MSCHAPv2 (MS in 1999)
- EAP-GTC (Generic Token Card) Cisco Systems in 2004.
- Tunneled EAP (uses outer tunnel with inner Native EAP protocol)
- PEAP (Protected EAP)
- EAP-FAST (Flexible Authentication with Secure Tunnel)
Protocol to support AAA:
RADIUS
- RADIUS (Remote Authentication Dial-In User Service) protocol was was originally developed by Livingston Enterprises (Later became part of Lucent Technologies) in 1991 as a way to manage and authenticate users accessing dial-up networks.
- In 1997 Internet Engineering Task Force (IETF) later standardized RADIUS protocol in RFC 2058 and RFC 2059.
TACACS / TACACS+
- TACACS (Terminal Access Controller Access-Control System) protocol was introduced by BBN Technologies in the 1980s. IT was a proprietary protocol to provide centralized
- authentication, authorization, and accounting (AAA) services for managing network access to UNIX-based systems.
- The original TACACS protocol was later replaced by TACACS+ (TACACS Plus) by Cisco Systems in the mid-1990s.
- TACACS+ introduced improvement by adding support for more features and enhanced security mechanisms.
How various authentication protocol works.
- Password Authentication Protocol (PAP):
- PAP was one of the earliest authentication protocols used in networking.
- It sends usernames and passwords in plain text, making it vulnerable to eavesdropping attacks.
- Challenge-Handshake Authentication Protocol (CHAP):
- CHAP was introduced as a more secure alternative to PAP.
- It uses a challenge-response mechanism to authenticate users, protecting against replay attacks.
- Extensible Authentication Protocol (EAP):
- EAP was introduced to provide a framework for supporting multiple authentication methods within network protocols.
- It allows for flexibility and interoperability by enabling the use of various authentication mechanisms.
- Protected Extensible Authentication Protocol (PEAP):
- PEAP is an extension of EAP that provides a secure authentication framework by establishing a TLS tunnel for authentication.
- It protects against eavesdropping and man-in-the-middle attacks by encrypting authentication credentials.
- EAP-TLS (EAP-Tunneled Transport Layer Security):
- EAP-TLS uses TLS to provide mutual authentication between clients and servers using digital certificates.
- It offers strong security features, including mutual authentication and encryption of communication.
- Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2):
- MS-CHAPv2 is a proprietary authentication protocol developed by Microsoft.
- It is commonly used within the EAP framework for VPN connections and supports mutual authentication.
- Tunneled Extensible Authentication Protocol (TEAP):
- TEAP is an extension of EAP designed for use in wireless networks.
- It provides enhanced security and flexibility by allowing the encapsulation of multiple EAP methods within a single authentication conversation.
- Biometric Authentication:
- Biometric authentication methods, such as fingerprint scanning and facial recognition, have become increasingly popular for user authentication.
- They offer convenience and strong security by using unique biological characteristics for authentication.
- Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA):
- 2FA and MFA combine multiple authentication factors, such as passwords, biometrics, and one-time codes, to enhance security.
- They provide an additional layer of protection against unauthorized access.
- OAuth and OpenID Connect:
- OAuth and OpenID Connect are modern authentication protocols commonly used for web-based authentication and authorization.
- They enable secure access to resources across different websites and applications without sharing passwords.