1 00:00:01,100 --> 00:00:03,430 When implementing remote access to your network, 2 00:00:03,430 --> 00:00:04,700 you have to carefully select 3 00:00:04,700 --> 00:00:07,030 the method of network authentication. 4 00:00:07,030 --> 00:00:08,770 There are various options to choose from, 5 00:00:08,770 --> 00:00:11,780 including the PAP, the Password Authentication Protocol, 6 00:00:11,780 --> 00:00:14,530 the CHAP, the Challenge Handshake Authentication Protocol, 7 00:00:14,530 --> 00:00:17,630 and EAP, the Extensible Authentication Protocol, 8 00:00:17,630 --> 00:00:19,890 that we talked about earlier in this section. 9 00:00:19,890 --> 00:00:21,650 The first remote access authentication 10 00:00:21,650 --> 00:00:23,780 that was widely used is known as PAP, 11 00:00:23,780 --> 00:00:25,960 the Password Authentication Protocol. 12 00:00:25,960 --> 00:00:29,400 Now, PAP is a really old protocol and because of that, 13 00:00:29,400 --> 00:00:31,540 it was never built with security in mind. 14 00:00:31,540 --> 00:00:34,250 In fact, whenever they sent the username and passwords, 15 00:00:34,250 --> 00:00:36,080 those user credentials over the network 16 00:00:36,080 --> 00:00:37,610 during the authentication, 17 00:00:37,610 --> 00:00:38,930 it didn't even encrypt them. 18 00:00:38,930 --> 00:00:40,710 They were sent in plain text. 19 00:00:40,710 --> 00:00:44,020 This makes PAP an insecure choice for any modern network 20 00:00:44,020 --> 00:00:46,140 and you simply shouldn't use it. 21 00:00:46,140 --> 00:00:47,550 Why do we even mention PAP? 22 00:00:47,550 --> 00:00:51,110 Well, because after PAP, came CHAP and with CHAP, 23 00:00:51,110 --> 00:00:52,430 it's an evolution to PAP, 24 00:00:52,430 --> 00:00:55,280 and it's the Challenge Handshake Authentication Protocol. 25 00:00:55,280 --> 00:00:57,240 This is going to solve the problem of sending credentials 26 00:00:57,240 --> 00:00:59,010 over the network in clear text. 27 00:00:59,010 --> 00:01:00,930 Instead, they're going to have the server 28 00:01:00,930 --> 00:01:04,320 send the client a string of random text called a challenge. 29 00:01:04,320 --> 00:01:06,560 This random text is then encrypted by the client 30 00:01:06,560 --> 00:01:07,850 using their password 31 00:01:07,850 --> 00:01:11,080 and this text is then sent back to the server. 32 00:01:11,080 --> 00:01:12,920 The server then unencrypts that text 33 00:01:12,920 --> 00:01:14,930 using the user's stored password 34 00:01:14,930 --> 00:01:16,740 and checks if the encrypted text 35 00:01:16,740 --> 00:01:19,920 matches the original text that it sent in the challenge. 36 00:01:19,920 --> 00:01:20,890 Using this method, 37 00:01:20,890 --> 00:01:23,150 the password is never sent across the network 38 00:01:23,150 --> 00:01:24,960 and the security can be achieved 39 00:01:24,960 --> 00:01:26,780 and ensure that we have it safe. 40 00:01:26,780 --> 00:01:29,160 Now, CHAP was popular for many years 41 00:01:29,160 --> 00:01:30,370 and Microsoft even created 42 00:01:30,370 --> 00:01:33,480 their own proprietary version called MS-CHAP. 43 00:01:33,480 --> 00:01:35,610 MS-CHAP provides stronger encryption keys 44 00:01:35,610 --> 00:01:36,990 and mutual authentication 45 00:01:36,990 --> 00:01:39,410 so, it was an improvement over standard CHAP. 46 00:01:39,410 --> 00:01:42,170 Now, while the CHAP and MS-CHAP were used widely 47 00:01:42,170 --> 00:01:43,610 for many, many years, 48 00:01:43,610 --> 00:01:46,100 both of these have been overtaken by EAP, 49 00:01:46,100 --> 00:01:48,020 the Extensible Authentication Protocol, 50 00:01:48,020 --> 00:01:50,210 that we discussed earlier in this section. 51 00:01:50,210 --> 00:01:53,660 Now, lucky for us, PAP and CHAP are both dying out 52 00:01:53,660 --> 00:01:56,760 because most of these were used for dial-up connections. 53 00:01:56,760 --> 00:01:59,610 Instead, most people who require remote access now 54 00:01:59,610 --> 00:02:01,150 opt for a VPN connection 55 00:02:01,150 --> 00:02:03,350 which we're going to discuss in the next video.