In many systems, the user authentication is widely applied and discussed in security services. Password authentication, which is widely used for authenticated method, also is important protocol by requiring a username and password before being allowed access to resources. In an internet environment, a remote user has to obtain the access right from a server before doing any job. The procedure of obtaining access right is called a user authentication protocol. User authentication via user memorable password provides convenience without needing any auxiliary devices, such as smart card. It is very common that a server in a network of resources is used to provide controlled access to the network or to applications residing within the network. Therefore, it is necessary for the server to authenticate the client via username and password.
Overview of Password Authentication protocol
Password authentication is one of the simplest and the most convenient authentication mechanisms to deal with secret data over insecure networks. It is more frequently required in areas such as computer networks, wireless networks, remote login systems, operation systems, and database management systems. To access resources at remote systems, users should have proper access rights. One of the simplest and most convenient security mechanisms is the use of a password authentication scheme. Examples of password authentication applications include remote login systems, ATM, PDA, and database management systems, etc. To access these resources, each user should have an identifier (ID) and a password (PW). The ID and PW are maintained by the remote system. When a user wants to login to a remote server, he/she has to submit his/her ID and PW to the server. On receiving the login message, the remote server checks to see if it can identify the login message in the password (verification) table.
Password Authentication Protocol (PAP) is a simple user authentication protocol that does not encrypt the data and sends the password and username to the authentication server as plain text. Password Authentication Protocol (PAP) provides security by coding the user’s password with an MD5 hash algorithm of a value that both the client and server can construct.
It works as follows:
- In packets that have the user password, the Authentication field contains a 16 octet random number called the Request Authenticator.
- The Request Authenticator and the client’s shared secret are put into an MD5 hash. The result is a 16 octet hash.
- The user-provided password is padded to 16 octets with nulls.
- The hash from step 2 is XORed (Exclusive-OR) with the padded password. This is the data sent in the packet as the user_password attribute.
- The RADIUS server calculates the same hash as that in Step 2.
- Hash is XORed with the packet data from Step 4, thus recovering the password.
How Password Authentication Protocol Works
PAP uses a two-way handshake to perform authentication. Once the PPP link is established using the Link Control Protocol (LCP), the PPP client sends a username and password to the PPP server. The server uses its own authentication scheme and user database to authenticate the user, and if the authentication is successful, the server sends an acknowledgment to the client.
PAP is typically used only if the remote access server and the remote client cannot negotiate any higher form of authentication. The remote client initiates the PAP session when it attempts to connect to the PPP server or router. PAP merely identifies the client to the PPP server; the server then authenticates the client based on whatever authentication scheme and user database are implemented on the server.
PAP is not a strong authentication method. Passwords are sent over the circuit “in the clear”, and there is no protection from playback or repeated trial and error attacks. The peer is in control of the frequency and timing of the attempts.
This authentication method is most appropriately used where a plaintext password must be available to simulate a login at a remote host. In such use, this method provides a similar level of security to the usual user login at the remote host.
Figure: Password Authentication protocol (PAP)
 “Password Authentication Protocol”, available online at: https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.security/radius_pap.htm
 “Password Authentication Protocol (PAP) in the Network Encyclopedia”, available online at: http://www.thenetworkencyclopedia.com/entry/password-authentication-protocol-pap/
 Chwei-Shyong Tsai, Cheng-Chi Lee and Min-Shiang Hwang, “Password Authentication Schemes: Current Status and Key Issues”, International Journal of Network Security, Volume 3, Number 2, PP.101–115, September 2006
 Bin-Tsan HSIEH, Hung-Min SUN and Tzonelih HWANG, “On the Security of Some Password Authentication Protocols”, INFORMATICA, 2003, Volume 14, No. 2, pp. 195–204.