The process of authentication requires, believe it or not a lot of encryption. Now think about this for a minute, let's come up with a very simple scenario. Let's say I've got some little client system. And I'm wired over to some kind of server system. So if I want to actually authenticate to this guy, I'm going to have to pass it again, keep it simple here. Let's just go with a username and password.
So if I don't have any form of encryption, just the process of getting authenticated to this server thing over here means I'm going to be passing a username and a password along my wire or wireless or whatever it might be in the clear. I mean, it would be really easy for a bad guy to intercept this and to get my username and password, which is what we call a bad thing in this business. So when we talk about authentication, there's over the years have been a number of different ways to do authentication, which encrypt or protect the credentials of the person who's trying to be authenticated. So what I want to do in this episode is kind of do a march through of the different types of things. authentication methods we've seen over the years. There's some very old ones which are on the security plus, so we got to know them.
But I'm going to take you all the way up to the most modern authentication methods. So let's go through this one authentication at a time. The first type of authentication method I want to talk about is password authentication protocol or pap. pap is well, the oldest authentication method that's both on the security plus and well, it's the oldest one I ever used. And I'm old. So anyway, pap is pretty easy.
So what I've got here in front of me is I've got a client system, and I've got a server system. So what I want to do here is I want to get authenticated. pap is disturbingly easy with Pap, all I do is I send my username and password. In the clear, pap is not anything that we use anymore. However, make sure you know it for security plus, next I want to talk about challenge handshake, authentication protocol or chap. Now chap is also a very old authentication protocol.
In fact, it is the first authentication protocol that was used within the PC World to perform some form of protection to the authentication process. So to watch chap in action, what I have here, again is my client system and my server system. And this client system wants to authenticate to the server system. So again, just keeping the usernames and passwords because that's really all chap could do. First, you need to understand that the server and the client already have a password stored in them, there's a key on each one of these devices. So when he wants to authenticate, the first thing he does is sends a Hey, may I authenticate message over to the server.
Now the server hears that message. And what he does is because he has the key, he then takes and creates a challenge message. Now, he won't send these because sending the key in the clear would be a bad idea. But what he does instead is he creates a hash of these two values and then sends the hash along with the two message over to the client. Now the client, because he has the key to be able to put it all back together, he can generate that hash. So he'll go ahead, generate that hash, send it back to the server.
And the end result of this is just by comparing hashes, they can confirm whether they have the same key or not. Now, the beautiful part to chap is that no passwords are being passed. It's really just hashes. So there are small problems with it. But in general chap has been around for a long time and we still see it used in a few situations. Next, is NT land manager, NT land manager has been around well, pretty much as long as there's been authentication and Windows.
Now, NT land manager isn't used in the more advanced windows authentication methods, that's Kerberos, which we're going to be talking about here shortly. But we still use NT land manager when we're having two Windows systems in a workgroup that are logging into each other. So as long as you don't have a domain controller, even the most modern version of winter Windows still does NT land manager Oh, and by the way, we're up to NT land manager, version two. So let's watch this take place. Now, if you were watching chap, this is going to look really kind of similar. So here we have our client.
And here we have a server. Now, in this case, the key is going to be these red blocks. Now what we want to do is authenticate this client to that server. But we don't want to pass our key out in the clear. So what we're going to do is we're going to start an initial hello hello kind of thing to make sure each person's there. And what we're going to do it's a little bit different this time is that each side is going to have a challenge message.
And then that challenge message is then hashed. And now we have each side challenging the other side, and through some pretty interesting mathematical mumbo jumbo, you can actually generate the key and verify that we have the same key going through that process itself. So empty land manager really is kind of like double check where we both have the client The server authenticating with each other. Now let's talk about the famous Kerberos authentication protocol. Kerberos is a very interesting authentication method because it's really only used in one place. And that is authenticating to Windows domain controllers.
So that means a lot of people use it. So even though it's pretty much only used by Microsoft to log into domain controllers, the widespread popularity of Windows domain networks, beans, just about all of us use Kerberos. So let's watch Kerberos in action. Now, first of all, what I have here are three computers. Here's my client computer. And this is just a file server.
It's got some folders I want to access to. But here in the middle, is a domain controller. Now when we're talking Kerberos, the domain controller is known as the KDC, or the key distribution center. But within that domain controller, there's really two main functions. There's the Authentication Service, and then there's the ticket. granting service.
Now these guys are listening in on TCP and UDP port 88. listening for Kerberos stuff to happen. So let's watch this take place. Now, the first thing I do when I come in the morning is I log into the domain on my computer. So when I do my initial login, I will go through and do a nicely encrypted and hashed login. But once that login takes place, the Authentication Service then provides me this little guy. This is a ticket granting ticket.
The TGT shows that I am authenticated to the domain. And I'm not authorized yet, but I'm authenticated to the domain. Now, if you're a Windows person, this TGT has a more common name. We call it the Cid or security identifier. And anybody who works on Windows systems has probably seen the Cid where you've actually seen the Kerberos TGT. Pretty cool, huh?
All right. So I'm authenticated to the network but I'm not authorized to any resources. So if I actually want to get to something, what I'll do is I'll take my TGT. And I will take it back to the domain controller. But in this case, I'm going over to the ticket granting service. Now, the ticket granting service knows what I'm allowed to access all over the domain.
So he'll take this, I keep a copy for myself. He'll take this and he will generate me a session key. So this session key actually works through the server as well. This session key allows me to access one particular set of resources. So for me to access this one server, I'll have a session key. Now if I need to go anywhere else on the domain, I'm going to have to go through this process again, and a new session key is derived every time so these are the basics of how Kerberos works.
It's really pretty cool. The last thing I'd like to talk about is Security Assertion, markup language and Lightweight Directory Access Protocol. Now the Security Assertion Markup Language and the Lightweight Directory Access Protocol. Well, they're not really authentication methods, but they tie in so closely, that I feel that this is the right place to talk about him. So let's hit up real quick. First, the Security Assertion Markup Language, better known as Sam L is used exclusively for web applications.
So if you're developing a web application, and you want people to be able to log into that application, this is what you use. SAML is an incredibly powerful tool. And if you've ever logged into almost any web application, there's a good chance you've already used it and you didn't even know it. The other one is Lightweight Directory Access Protocol, better known as LDAP. When you're authenticating to something, there's usually some process where somebody has to access someone else's directory. Now in Windows, we have Active Directory, but we see this all over the place.
So LDAP isn't really authentication. But more of a structured language that allows one computer to go into somebody else's directory and query it and update it and do whatever it needs to do. So, we see LDAP used a lot. In fact, the main process by which we access resources within Windows is based heavily on LDAP. Now the nice part about this is that's all you really need to know. Well, except for one more thing.
LDAP uses TCP and UDP port 389. Make sure you know it for the test.