Content deleted Content added
→Benefits of CHAP: typo correct |
Sammi Brie (talk | contribs) Adding local short description: "Authentication protocol to validate users", overriding Wikidata description "authentication protocol for the point-to-point protocol" |
||
| (3 intermediate revisions by 3 users not shown) | |||
Line 1:
{{Short description|Authentication protocol to validate users}}
In [[computing]], the '''Challenge-Handshake Authentication Protocol''' ('''CHAP''') is an [[authentication protocol]] originally used by [[Point-to-Point Protocol]] (PPP) to validate users. CHAP is also carried in other authentication protocols such as [[RADIUS]] and [[Diameter (protocol)|Diameter]]. Almost all [[network operating system]]s support PPP with CHAP, as do most [[network access server]]s. CHAP is also used in [[PPPoE]], for authenticating DSL users.
As the PPP sends data unencrypted and "in the clear", CHAP is vulnerable to any attacker who can observe the PPP session. An attacker can see the user's name, CHAP challenge, CHAP response, and any other information associated with the PPP session. The attacker can then mount an offline [[dictionary attack]] in order to obtain the original password. When used in PPP, CHAP also provides protection against [[replay attack]]s by the peer through the use of a challenge which is generated by the authenticator, which is typically a [[network access server]].
Where CHAP is used in other protocols, it may be sent in the clear, or it may be protected by a security layer such as [[Transport Layer Security]] (TLS). For example, when CHAP is sent over [[RADIUS]] using [[User Datagram Protocol]] (UDP), any attacker who can see the RADIUS packets can mount an offline [[dictionary attack]], as with PPP.
Line 10 ⟶ 11:
==Benefits of CHAP==
When the peer sends CHAP, the authentication server will receive it, and obtain the "known good" password from a database, and perform the CHAP calculations. If the resulting hashes match, then the user is deemed to be authenticated. If the hashes do not match, then the
Since the authentication server has to store the password in clear-text, it is impossible to use different [[Password#
As a result, while CHAP can be more secure than PAP when used over a PPP link, it prevents more secure storage "at rest" than with other methods such as [[Password authentication protocol|PAP]].
Line 20 ⟶ 21:
==Working cycle==
CHAP is an authentication scheme originally used by [[Point-to-Point Protocol]] (PPP) servers to validate the identity of remote clients. CHAP periodically verifies the identity of the [[client (computing)|client]] by using a [[
# After the completion of the link establishment phase, the authenticator sends a "challenge" message to the peer.
Line 78 ⟶ 79:
== See also ==
{{wikibooks | Network Plus Certification/Security/User Authentication }}▼
* [[List of authentication protocols]]
* [[Password Authentication Protocol]]
Line 88:
== External links ==
▲{{wikibooks | Network Plus Certification/Security/User Authentication }}
* {{IETF RFC|1994}} PPP Challenge Handshake Authentication Protocol (CHAP)
* {{IETF RFC|2865}} Remote Authentication Dial In User Service ([[RADIUS]]): ''uses [[Password authentication protocol|PAP]] or CHAP''
| |||