Challenge-handshake authentication protocol
 |
This article relies largely or entirely upon a single source. Please help improve this article by introducing appropriate citations of additional sources. (December 2009) |
In computing, the Challenge-Handshake Authentication Protocol (CHAP) authenticates a user or network host to an authenticating entity. That entity may be, for example, an Internet access provider.
CHAP provides protection against playback attack by the peer through the use of an incrementally changing identifier and of a variable challenge-value. CHAP requires that both the client and server know the plaintext of the secret, although it is never sent over the network.
Microsoft has implemented a variant of the Challenge-handshake authentication protocol, called MS-CHAP, which does not require either peer to know the plaintext.
Contents |
Working Cycle
CHAP is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. CHAP periodically verifies the identity of the client by using a three-way handshake. This happens at the time of establishing the initial link, and may happen again at any time afterwards. The verification is based on a shared secret (such as the client user's password).
- After the completion of the link establishment phase, the authenticator sends a "challenge" message to the peer.
- The peer responds with a value calculated using a one-way hash function, such as an MD5 checksum hash.
- The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authenticator acknowledges the authentication; otherwise it should terminate the connection.
- At random intervals the authenticator sends a new challenge to the peer and repeats steps 1 through 3.
CHAP Packets
| Description | 1 byte | 1 byte | 2 bytes | 1 byte | Variable | variable |
|---|---|---|---|---|---|---|
| Challenge | Code = 1 | ID | Length | Challenge length | Challenge value | Name |
| Response | Code = 2 | ID | Length | Response Length | Response value | Name |
| Success | Code = 3 | ID | Length | Message | ||
| Failure | Code = 4 | ID | Length | Message |
See also
- List of authentication protocols
- Password Authentication Protocol
- Challenge-response test
- Cryptographic hash function
References
stock | retire | vm
Why are we here?
All text is available under the terms of the GNU Free Documentation License
This page is cache of Wikipedia. History