Password Authentication Protocol

Description

The Password Authentication Protocol (PAP) is a basic authentication protocol defined originally within the Point-to-Point Protocol (PPP) suite (RFC 1334, later RFC 1994). Its operation is straightforward: the client seeking network access (the peer) sends an authentication request containing a plaintext user name and password to the authenticator (the network access server). The authenticator checks these credentials against a local database or an authentication server and replies with an acknowledgment (Accept) or a rejection (Reject). This exchange occurs during the initial link establishment phase of PPP.

Within 3GPP specifications, PAP is not the primary authentication mechanism for core cellular access like 5G NAS or EAP-AKA', but it is referenced in several contexts. Historically, it was used for dial-up internet access via Integrated Services Digital Network (ISDN) and for authenticating users in early General Packet Radio Service (GPRS) networks when interacting with external Packet Data Networks (PDNs). Specifications like 3GPP TS 29.061 (Interworking between the Public Land Mobile Network and Packet Data Networks) detail how PAP (and CHAP) can be used for external AAA (Authentication, Authorization, and Accounting) when a mobile device acts as a dial-up client to an Internet Service Provider (ISP).

The protocol's architecture involves two main messages within the PPP Link Control Protocol (LCP) phase: the Authenticate-Request and the Authenticate-Ack or Authenticate-Nak. PAP operates in a two-way handshake and provides no protection for the credentials during transmission; they are sent in clear text, making it vulnerable to eavesdropping on the link. Due to this weakness, 3GPP standards typically mandate or prefer the use of the Challenge-Handshake Authentication Protocol (CHAP) or more robust methods like EAP (Extensible Authentication Protocol) when security is a concern. PAP's inclusion in 3GPP specs often serves to ensure backward compatibility with legacy external networks or as a baseline example in protocol descriptions.

Purpose & Motivation

PAP was created in the early days of dial-up internet access to provide a simple, universally implementable method for a network access server to verify a user's identity using a username and password pair. Its purpose was to offer basic access control for PPP links without the computational overhead of cryptographic challenges. During the evolution of 2G and early 3G networks, mobile operators needed to interwork with existing Internet infrastructure, where PAP was a common method used by ISPs. Therefore, 3GPP standards included support for PAP to enable mobile stations to connect to these external PDNs using familiar dial-up paradigms.

The protocol addresses the simple problem of credential verification but introduces significant security limitations. It solves the 'what you know' authentication problem in the most direct way possible. However, the motivation for its inclusion in 3GPP was largely about compatibility rather than security leadership. As 3GPP networks evolved, the limitations of PAP—specifically its lack of encryption and susceptibility to replay attacks—became unacceptable for mobile-specific authentication. This led to the specification and preference for CHAP, which uses a challenge-response mechanism, and later to the integration of much stronger, SIM-based authentication via the AKA protocol and EAP frameworks. PAP remains in the specifications as a legacy option, highlighting the historical progression of security in data services.

Key Features

• Simple two-way handshake (request/response) authentication
• Transmits user credentials (name and password) in plain text
• Operates within the PPP link establishment phase
• Provides basic access grant or denial functionality
• Widely supported for legacy compatibility with external networks
• Defined in IETF RFCs and profiled for use in 3GPP interworking scenarios

Evolution Across Releases

Defining Specifications