Objective 6.4: User Authentication

Objective 6.4: Explain methods of user authentication

PKI (Public Key Infrastructure)Edit

The Public Key Infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates. PKI is an arrangement that associates a public key with a user's identity by means of a certificate authority (CA). The user's identity must be unique for each CA. The binding is established through the registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision. The PKI role that assures this binding is called the Registration Authority (RA). For each user, the user's identity, the public key, and their association with each other are made transparent in public key certificates issued by the CA.


Kerberos is the name of a computer network authentication protocol, which allows individuals communicating over an insecure network to prove their identity to one another in a secure manner, and also a suite of free software published by Massachusetts Institute of Technology (MIT) which implements this protocol. Its designers aimed primarily at a client-server model, and it provides mutual authentication — both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping or replay attacks.

AAA (Authentication, Authorization, and Accounting)Edit

RADIUS (Remote Authentication Dial In User Service)Edit

Remote Authentication Dial In User Service (RADIUS) is an AAA (authentication, authorization and accounting) protocol for applications such as network access or IP mobility. It is intended to work in both local and roaming situations.

TACACS+ (Terminal Access Control Access Control System+)Edit

Network access controlEdit

IEEE 802.1xEdit

CHAP (Challenge Handshake Authentication Protocol)Edit

CHAP is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. CHAP periodically verifies the identity of the client by using a three-way handshake. This happens at the time of establishing the initial link, and may happen again at any time afterward. The verification is based on a shared secret (such as the client user's password).

MS-CHAP (Microsoft Handshake Authentication Protocol)Edit

MS-CHAP is the Microsoft version of the Challenge-handshake authentication protocol, CHAP.

Compared with CHAP, MS-CHAP:

  • provides an authenticator-controlled password change mechanism
  • provides an authenticator-controlled authentication retry mechanism
  • defines failure codes returned in the Failure packet message field

MS-CHAPv2 provides mutual authentication between peers by piggybacking a peer challenge on the Response packet and an authenticator response on the Success packet.

EAP (Extensible Authentication Protocol)Edit

Extensible Authentication Protocol, or EAP, is a universal authentication framework frequently used in wireless networks and Point-to-Point connections. It is defined by RFC 3748. Although the EAP protocol is not limited to wireless LANs and can be used for wired LAN authentication, it is most often used in wireless LANs. Recently, the WPA and WPA2 standard has officially adopted five EAP types as its official authentication mechanisms.

« Network Security
Objective 6.4: User Authentication
Objective 6.3: Network Access Security Objective 6.5: Device Security