PAP

Password Authentication Protocol

Security →
Introduced in Rel-4 Also in: Services

PAP is a simple legacy authentication protocol that transmits unencrypted usernames and passwords, used in early 3GPP systems like dial-up and GPRS.

Category
Security
Introduced
Rel-4
Where
Core Network › 5G Core
Also touches
1 segments
Specifications
7 specs
PAP Description Purpose Related Classification Detected Changes Specifications

Description

The Password Authentication Protocol (PAP) is a basic authentication protocol defined originally within the Point-to-Point Protocol (PPP) suite (RFC 1334, later RFC 1994). Its operation is straightforward: the client seeking network access (the peer) sends an authentication request containing a plaintext user name and password to the authenticator (the network access server). The authenticator checks these credentials against a local database or an authentication server and replies with an acknowledgment (Accept) or a rejection (Reject). This exchange occurs during the initial link establishment phase of PPP.

Within 3GPP specifications, PAP is not the primary authentication mechanism for core cellular access like 5G NAS or EAP-AKA', but it is referenced in several contexts. Historically, it was used for dial-up internet access via Integrated Services Digital Network (ISDN) and for authenticating users in early General Packet Radio Service (GPRS) networks when interacting with external Packet Data Networks (PDNs). Specifications like 3GPP TS 29.061 (Interworking between the Public Land Mobile Network and Packet Data Networks) detail how PAP (and CHAP) can be used for external AAA (Authentication, Authorization, and Accounting) when a mobile device acts as a dial-up client to an Internet Service Provider (ISP).

The protocol's architecture involves two main messages within the PPP Link Control Protocol (LCP) phase: the Authenticate-Request and the Authenticate-Ack or Authenticate-Nak. PAP operates in a two-way handshake and provides no protection for the credentials during transmission; they are sent in clear text, making it vulnerable to eavesdropping on the link. Due to this weakness, 3GPP standards typically mandate or prefer the use of the Challenge-Handshake Authentication Protocol (CHAP) or more robust methods like EAP (Extensible Authentication Protocol) when security is a concern. PAP's inclusion in 3GPP specs often serves to ensure backward compatibility with legacy external networks or as a baseline example in protocol descriptions.

Purpose & Motivation

PAP was created in the early days of dial-up internet access to provide a simple, universally implementable method for a network access server to verify a user's identity using a username and password pair. Its purpose was to offer basic access control for PPP links without the computational overhead of cryptographic challenges. During the evolution of 2G and early 3G networks, mobile operators needed to interwork with existing Internet infrastructure, where PAP was a common method used by ISPs. Therefore, 3GPP standards included support for PAP to enable mobile stations to connect to these external PDNs using familiar dial-up paradigms.

The protocol addresses the simple problem of credential verification but introduces significant security limitations. It solves the 'what you know' authentication problem in the most direct way possible. However, the motivation for its inclusion in 3GPP was largely about compatibility rather than security leadership. As 3GPP networks evolved, the limitations of PAP—specifically its lack of encryption and susceptibility to replay attacks—became unacceptable for mobile-specific authentication. This led to the specification and preference for CHAP, which uses a challenge-response mechanism, and later to the integration of much stronger, SIM-based authentication via the AKA protocol and EAP frameworks. PAP remains in the specifications as a legacy option, highlighting the historical progression of security in data services.

Classification

Part ofAAA
Related approachesCHAPEAP

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (138 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-4, normative work from Rel-15.

Rel-15 32 changes

In Release 15, the specifications introduced several corrections and clarifications to authentication procedures, including the primary authentication procedure for 5G. This included the addition of the ABBA parameter for 5G-based primary authentication and specific corrections to the EAP-based primary authentication procedure, as well as handling within the registration procedure for mobility. Furthermore, the release defined fixed formatting for authentication parameters, such as mandating the authentication response parameter IE to be of a fixed length.

  • Updates to 3GPP-GPRS-Negotiated-QoS-Profile AVP TS 29.061CR0505
  • Incrementing of counter for "SIM/USIM considered invalid for non-GPRS services" in Iu mode TS 24.008CR3136
  • Addition of ABBA in 5G based primary authentication procedure TS 24.501CR0036
  • Corrections in handling GPRS Attach Reject with GMM cause #14 in VPLMN TS 24.008CR3124
  • Wrong "slogan" for cause value 98, message not compatible with protocol state TS 24.008CR3134
  • Collision between paging for non-GPRS services and MS initiated PS NAS procedures TS 24.008CR3165

+ 26 more changes

Rel-16 31 changes

In Release 16, the PAP function was enhanced to support network slice-specific authentication and authorization, including procedures for handling failures and revocation. It also introduced extensions for primary authentication using EAP methods beyond EAP-AKA' and EAP-TLS, and added support for DN-AAA re-authentication. Furthermore, new procedures were defined for the primary authentication of an N5GC device and for handling a pending NSSAI during slice-specific processes.

  • Port management information container: Delivery via the NAS protocol and coding TS 24.501CR1470
  • Slice-specific authentication and authorization procedure TS 24.501CR1450
  • Primary authentication using EAP methods other than EAP-AKA' and EAP-TLS TS 24.501CR1510
  • Extensions of EAP-TLS usage in primary authentication TS 24.501CR1512
  • Extensions of EAP-AKA' usage in primary authentication TS 24.501CR1513
  • Primary authentication of an N5GC device TS 24.501CR2218

+ 25 more changes

Rel-17 55 changes

In Release 17, the PAP function was updated to explicitly support non-transparent access to a Data Network (DN) using PAP/CHAP. This included the addition of specific RADIUS and Diameter message flows for successful PAP/CHAP authentication procedures. The update clarified the usage of PAP/CHAP within the broader framework of primary and secondary authentication procedures.

  • The impact on UE due to the introduction of Authentication and Key Management for Applications (AKMA) TS 24.501CR2794
  • SNN verification for SNPN supporting AAA-Server for primary authentication and authorization TS 24.501CR3137
  • "List of subscriber data" handling for SNPN supporting AAA-Server for primary authentication and authorization TS 24.501CR3133
  • Authentication handling TS 24.501CR3387
  • 5GSM protocol update for redundant PDU sessions TS 24.501CR3671
  • Usage of indication to use MSK for derivation of KAUSF after success of primary authentication and key agreement procedure TS 24.501CR3843

+ 49 more changes

Rel-18 17 changes

In Release 18, the PAP function was enhanced to support authentication for new device types and relay scenarios. Specifically, it introduced authentication procedures for AUN3 devices, with considerations for those supporting the 5G key hierarchy, and defined authentication and key agreement for 5G ProSe UE-to-UE relay operations. Additionally, the release included protocol error handling enhancements and clarifications for procedure initiation and failure cases.

  • Introducing the secondary DN authentication and authorization over EPC support indicator TS 24.008CR3322
  • Protocol error handling enhancements for Type 6 IE container IEs TS 24.501CR5031
  • Authentication for AUN3 devices supporting 5G key hierarchy TS 24.501CR5811
  • Impact on NAS signalling for supporting authentication of AUN3 devices supporting and not supporting 5G key hierarchy TS 24.501CR5812
  • Authentication and key agreement procedure for 5G ProSe UE-to-UE relay TS 24.501CR5820
  • Protocol description support TS 24.501CR5973

+ 11 more changes

Rel-19 3 changes

In Release 19, the PAP function was updated with corrections to the handling of the AUTHENTICATION REJECT message, specifically for a UE configured to use timer T3245. The release also corrected the requirements for resetting an attempt counter upon an authentication reject and fixed the information element length for the Service-level AA container used in Service-level authentication command and complete messages.

  • Corrected requirements for attempt counter reset at authentication reject TS 24.501CR6675
  • Correction in handling AUTHENTICATION REJECT message by a UE configured to use T3245 TS 24.501CR7066
  • Correction of IE length for Service-level AA container in Service-level authentication command/complete message TS 24.501CR7092

Explore further

Broader topics and technologies where PAP plays a role.

Topics
Authentication (5G-AKA, EAP)NAS (Non-Access Stratum)Encryption & IntegrityMEC (Edge Computing)Lawful InterceptServices & Applications
Technologies
5G

Defining Specifications

3GPP specifications that define or reference PAP, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TR 21.905 vj00 3GPP Technical Terms and Definitions Rel-19
TS 23.179 vd50 MCPTT Functional Architecture Rel-13
TS 23.379 vk00 MCPTT Functional Architecture Rel-20
TS 24.008 vj50 3GPP TS 24008: Core Network Protocols Rel-19
TS 24.501 vj50 5G NAS Protocols Specification Rel-19
TS 29.061 vj00 Packet Domain Interworking for PLMN Rel-19
TS 29.561 vj30 5G Interworking with External Data Networks Rel-19