Challenge Handshake Authentication Protocol (CHAP)

CHAP is an encrypted authentication scheme in which the unencrypted password is not transmitted over the network.

What is CHAP (Challenge Handshake Authentication Protocol)?

Challenge Handshake Authentication Protocol, or CHAP, is an encrypted authentication scheme in which the unencrypted password is not transmitted over the network. Challenge Handshake Authentication Protocol (CHAP) is one of several authentication schemes used by the Point-to-Point Protocol (PPP), a serial transmission protocol for wide area network (WAN) connections. Other authentication schemes supported by PPP include Password Authentication Protocol (PAP), Shiva Password Authentication Protocol (SPAP), and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).

PAP is a widely implemented authentication protocol, but CHAP is more secure than PAP because CHAP encrypts the transmitted password, while PAP does not. SPAP and MS-CHAP are vendor-specific implementations.

How It Works

A typical CHAP session during the PPP authentication process works something like this:

  1. A client connects to a network access server (NAS) and requests authentication.
  2. The server challenges the client by sending a session ID and an arbitrary string.
  3. The client uses the MD5 one-way hashing algorithm and sends the server the username, along with an encrypted form of the server’s challenge, session ID, and client password.
  4. A session is established between the client and the server.
CHAP (Challenge Handshaking Authentication Protocol)
CHAP (Challenge Handshaking Authentication Protocol)

To guard against replay attacks, the challenge string is chosen arbitrarily for each authentication attempt. To protect against remote client impersonation, CHAP sends repeated, random interval challenges to the client to maintain the session.

CHAP is supported by RAS

CHAP is supported by the Remote Access Service (RAS) on Microsoft Windows NT and the Routing and Remote Access feature of Windows 2000 as a way to allow non-Microsoft clients to dial in and receive authentication for a RAS session, and to allow Microsoft RAS clients to connect to any industry-standard PPP server.


Articles posted after being checked by editors.

Recent Posts