Challenge-handshake authentication protocol

From Free net encyclopedia

In computing, the Challenge-Handshake Authentication Protocol (CHAP) authenticates a user to an Internet access provider.

RFC 1994: PPP Challenge Handshake Authentication Protocol (CHAP) defines the protocol.

CHAP periodically verifies the identity of the client by using a three-way handshake. This happens at the time of establishing the initial link, and may happen again at any time afterwards. The client and the server share a secret (such as the client user's password).

1. After the completion of the link establishment phase, the authenticator sends a "challenge" message to the peer.
2. The peer responds with a value calculated using a one-way hash function, such as MD5.
3. The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authenticator acknowledges the authentication; otherwise it should terminate the connection.
4. At random intervals the authenticator sends a new challenge to the peer and repeats steps 1 to 3.

CHAP provides protection against playback attack by the peer through the use of an incrementally changing identifier and of a variable challenge-value. CHAP requires that client make the secret available in plaintext form.

Microsoft has implemented the Challenge-handshake authentication protocol as MS-CHAP.

See also

• Password Authentication Protocol
• Challenge-response test
• Cryptographic hash function

References

• RFC 1994

Template:Compu-network-stubde:Challenge Handshake Authentication Protocol es:CHAP fr:Challenge-Handshake Authentication Protocol pl:CHAP zh:CHAP