Protocol

Secure Shell (SSH) is a network protocol that enables secure communications between an SSH client and an SSH server over an unsecured network (e.g. the Internet). Classically SSH offers two high-level mechanisms for authentication – passwords and public-key cryptography. Public-key authentication is generally considered more secure because it avoids the need for storing passwords and...

Fast Identity Online (FIDO) Authentication is a set of open technical specifications that define user authentication mechanisms that reduce the reliance on passwords. To date, the FIDO Alliance published three sets of specifications: FIDO Universal Second Factor (FIDO U2F) provides a standard means for interfacing a second-factor hardware authenticator. This interface is mainly used by...

Client To Authenticator Protocol (CTAP) is a specification describing how an application (i.e. browser) and operating system establish communications with a compliant authentication device over USB, NFC or BLE communication mediums. The specification is part of the FIDO2 project and W3C WebAuthN specification. The specification refers to two CTAP protocol versions. CTAP1 is the new...

Extensible Authentication Protocol (EAP) is an authentication framework, not a specific authentication mechanism, frequently used in wireless networks and point-to-point connections. It provides some common functions and negotiation of authentication methods called EAP methods. The EAP protocol can support multiple authentication mechanisms without having to pre-negotiate a particular one. There are currently about 40 different...

Secure, Quick, Reliable Login, or SQRL (pronounced “squirrel”), is a draft open standard for anonymous and secure user identification and authentication to websites and web applications. It was proposed by its inventor Steve Gibson as an easy-to-use replacement for usernames, passwords, and MFA. SQRL was designed to eliminate username and password authentication to remote websites....

OAuth is an open standard that allows users to provide websites or applications with delegated access to their information that is stored on other websites or applications without giving the credentials (i.e. password) that directly access the account where the information is stored. Instead, a delegated access token is provided which specifies access permissions. For...

Internet Key Exchange (IKE) is the protocol used to set up a secure, authenticated communications channel between two parties. IKE typically uses X.509 PKI certificates for authentication and the Diffie–Hellman key exchange protocol to set up a shared session secret. IKE is part of the Internet Security Protocol (IPSec) which is responsible for negotiating security...

Windows NT LAN Manager (NTLM) is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain. When the client requests access to a service associated with the domain, the service sends a challenge to the client, requiring that the client perform a mathematical operation using its authentication token,...

System for Cross-domain Identity Management (SCIM) is a standard for automating the exchange of user identity information between identity domains, or IT systems. SCIM is used by companies that make use of applications/systems that are hosted on external domains – i.e. cloud applications like Google Apps, Office365 or Salesforce.com – to programmatically add/delete accounts for...

Challenge-Handshake Authentication Protocol (CHAP) is an identity verification protocol that does not rely on sending a shared secret between the access-requesting party and the identity-verifying party (the authenticator). CHAP is based on a shared secret, but in order to authenticate, the authenticator sends a “challenge” message to the access-requesting party, which responds with a value...

Salted Challenge Response Authentication Mechanism (SCRAM) is a password-based mutual authentication protocol designed to make an eavesdropping attack (i.e. man-in-the-middle) more difficult. Using cryptographic hashing techniques, a client can prove to a server that the user knows a secret derived from the user’s password without sending the password itself. The server can prove to the...

Trust on first use (TOFU) is a security model used to establish trust between a client software and a machine for which no trust was previously established – i.e. a new machine. Upon connection, the client software will try to look up the machine’s identifier, usually some kind of public key, in its local trust...

Key exchange protocols enable two or more parties to establish a shared encryption key that they can use to encrypt or sign data that they plan to exchange. Key exchange protocols typically employ cryptography to achieve this goal. Different cryptographic techniques can be used to achieve this goal. In order for two parties to communicate...

Simple Object Access Protocol (SOAP) is a client-server messaging protocol for exchanging structured data between web-services. SOAP uses XML for its message format and relies on standard application layer protocols, most often Hypertext Transfer Protocol (HTTP) or Simple Mail Transfer Protocol (SMTP), for message negotiation and transmission. SOAP’s relative complexity has led developers to prefer...

Representational state transfer (REST) is a convention for stateless client-server communications that is typically implemented using the HTTP protocol (using other protocols is also technically possible). REST itself is not a protocol – it is simply a set of conventions that strive to create simplicity and consistency in resource naming across different web-based applications or...

Zero knowledge proof or protocol is a way for a “prover” to convince a “verifier” that a statement about some secret information is true without revealing the secret itself. The proof protocol may be interactive or non-interactive. Example: a verifier presents a prover with a hash H, and would like the prover to provide proof...

Kerberos is a client-server authentication protocol that enables mutual authentication –  both the user and the server verify each other’s identity – over non-secure network connections.  The protocol is resistant to eavesdropping and replay attacks, and requires a trusted third party. The Kerberos protocol uses a symmetric key derived from the user password to securely...

Created at 1993 LDAP was created by Tim Howes, Steve Kille and Wengyik Yeong; Based on the X.500 Standard but simply adapting to meet custom specifications. Lightweight Directory Access Protocol (LDAP) is a standard application protocol for accessing and managing a directory service. It is supported by most vendor directory services, including Active Directory (AD),...

Secure Shell (SSH) is a cryptographic protocol that provides communications security over a computer network, connecting an SSH client application with an SSH server. It is typically used to access shell accounts on remote servers. Shell accounts are typically available on Linux systems (but not only) and provide a user interface to the operating system’s...