Password authentication protocol
Password Authentication Protocol (PAP) provides security by coding the user's password with an MD5 hash algorithm of a value that both the client and server can construct.
It works as follows:
- In packets that have the user password, the Authentication field contains a 16 octet random number called the Request Authenticator.
- The Request Authenticator and the client's shared secret are put into an MD5 hash. The result is a 16 octet hash.
- The user-provided password is padded to 16 octets with nulls.
- The hash from step 2 is XORed (Exclusive-OR) with the padded password. This is the data sent in the packet as the user_password attribute.
- The RADIUS server calculates the same hash as that in Step 2.
- This hash is XORed with the packet data from Step 4, thus recovering the password.