Password Authentication Protocol

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Password Authentication Protocol (PAP) is a password-based authentication protocol used by Point to Point Protocol (PPP) to validate users.[1] Almost all network operating system remote servers support PAP. PAP is specified in RFC 1334.

PAP is considered a weak authentication scheme (weak schemes are simple and have lighter computational overhead but are much more vulnerable to attack; while weak schemes may have limited application in some constrained environments, they are avoided in general). Among PAP's deficiencies is the fact that it transmits unencrypted passwords (i.e. in plain-text) over the network. PAP is therefore used only as a last resort when the remote server does not support a stronger scheme such as CHAP or EAP.

Working cycle[edit]

PAP authentication is only done at the time of the initial link establishment, and verifies the identity of the client using a two-way handshake.

  1. Client sends username and password. This is sent repeatedly until a response is received from the server.
  2. Server sends authentication-ack (if credentials are OK) or authentication-nak (otherwise)[2]

PAP Packets[edit]


1 byte 1 byte 2 bytes 1 byte Variable 1 byte Variable
Authentication-request Code = 1 ID Length Username length Username Password length Password
Authentication-ack Code = 2 ID Length Message length Message
Authentication-nak Code = 3 ID Length Message length Message

PAP packet embedded in a PPP frame. The protocol field has a value of C023 (hex).

Flag Address Control Protocol (C023 (hex)) Payload (table above) FCS Flag

See also[edit]


  1. ^ "Password Authentication Protocol (PAP)". GeeksforGeeks. 2018-07-17. Retrieved 2020-11-08.
  2. ^ Forouzan (2007). Data Commn & Networking 4E Sie. McGraw-Hill Education (India) Pvt Limited. pp. 352–. ISBN 978-0-07-063414-5. Retrieved 24 November 2012.