Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

Last Edited



, ,

Definition of Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) in The Network Encyclopedia.

What is MS-CHAP (Microsoft Challenge Handshake Authentication Protocol)?

MS-CHAP is an encrypted authentication scheme used in wide area network (WAN) communication. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is supported by the Point-to-Point Protocol (PPP) used by the Remote Access Service (RAS) of Microsoft Windows NT, and the Point-to-Point Tunneling Protocol (PPTP) used by the Routing and Remote Access Service (RRAS) of Windows NT Service Pack 4 and later and by Windows 2000 and Windows 98.

How it works

MS-CHAP is similar to the Challenge Handshake Authentication Protocol (CHAP) that encrypts password information before transmitting it over a PPP link using the industry-standard MD5 one-way encryption method. MS-CHAP is Microsoft’s version of CHAP; it differs from CHAP in the following ways:

  • The MS-CHAP challenge response packet is in a format designed specifically for Windows platforms.
  • MS-CHAP does not require the use of plaintext or reversibly encrypted passwords the way CHAP does. Instead, the RAS server uses the MD4 hash of the password for validating the challenge response.

Both the client and the authenticating server generate independent initial keys for data encryption. For example, to establish a PPP session between a Windows NT RAS server and a Windows dial-up networking client, the client first requests authentication from the RAS server.

The RAS server then sends the client a challenge consisting of a session identifier and an arbitrary string of characters called the challenge string. The client returns a response to the server that consists of the username plus a one-way encryption of the password, session identifier, and challenge string.

The RAS server examines the response and determines whether to authenticate the client.

MS-CHAP Overview


The original Windows NT RAS service supports MS-CHAP version 1, while Windows NT and Windows 2000 RRAS support MS-CHAP version 2. Version 2 of MS-CHAP supports mutual (two-way) authentication to verify the identity of both sides of a PPP or PPTP connection, and separate cryptographic keys for transmitted and received data that are based on the user’s password and the arbitrary challenge string. This two-way authentication is more secure than version 1 because the same user will have different keys generated for each PPP or PPTP session. LAN Manager encoding of password changes and challenge responses is also no longer supported in version 2.