In computing, the Challenge-Handshake Authentication Protocol (CHAP) authenticates a user or network host to an authenticating entity. That entity may be, for example, an Internet service provider. CHAP is specified in RFC 1994.
CHAP provides protection against playback attack by the peer through the use of an incrementally changing identifier and of a variable challenge-value. CHAP requires that both the client and server know the plaintext of the secret, although it is never sent over the network. The MS-CHAP variant does not require either peer to know the plaintext, but has other drawbacks.
Contents |
CHAP is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. CHAP periodically verifies the identity of the client by using a three-way handshake. This happens at the time of establishing the initial link (LCP), and may happen again at any time afterwards. The verification is based on a shared secret (such as the client user's password).
| Description | 1 byte | 1 byte | 2 bytes | 1 byte | Variable | variable |
|---|---|---|---|---|---|---|
| Challenge | Code = 1 | ID | Length | Challenge length | Challenge value | Name |
| Response | Code = 2 | ID | Length | Response Length | Response value | Name |
| Success | Code = 4 | ID | Length | Message | ||
| Failure | Code = 4 | ID | Length | Message |
The ID chosen for the random challenge is also used in the corresponding response, success, and failure packets. A new challenge with a new ID must be different from the last challenge with another ID. If the success or failure is lost the same response can be sent again, and triggers the same success or failure indication. For MD5 as hash the response value is MD5(ID||secret||challenge), the MD5 for the concatenation of ID, secret, and challenge.[1]