Skip to main content

Password Authentication Protocol

A password authentication protocol (PAP) is an authentication protocol that uses a password.

PAP is used by Point to Point Protocol to validate users before allowing them access to server resources. Almost all network operating system remote servers support PAP.

PAP transmits unencrypted ASCII passwords over the network and is therefore considered insecure. It is used as a last resort when the remote server does not support a stronger authentication protocol, like CHAP or EAP (the latter is actually a framework).

Password-based authentication is the protocol where two entities share a password in advance and use the password as the basis of authentication. Existing password authentication schemes can be categorized into two types: weak-password authentication schemes and strong-password authentication schemes. When compared to strong-password schemes, weak-password schemes tend to have lighter computational overhead, the designs are simpler, and implementation is easier, making them especially suitable for some constrained environments.

Working cycle

  • Client sends username and password
  • Server sends authentication-ack (if credentials are OK) or authentication-nak (otherwise)

PAP Packets

Description

1 byte 1 byte 2 bytes 1 byte Variable 1 byte Variable
Authentication-request Code = 1 ID Length Username length Username Password length Password
Authentication-ack Code = 2 ID Length Message length Message
Authentication-nak Code = 3 ID Length Message length Message

PAP packet embedded in a PPP frame. The protocol field has a value of C023 (hex).

Flag Address Control Protocol (C023 (hex)) Payload (table above) FCS Flag

Source: Wikipedia, Google