Revision as of 03:08, 14 April 2022 edit Dawnseeker2000 (talk \| contribs) Autopatrolled, Extended confirmed users, File movers, New page reviewers, Pending changes reviewers, Rollbackers 535,883 edits m Disambiguating links to TLS (link changed to Transport Layer Security) using DisamAssist. ← Previous edit		Revision as of 02:55, 17 April 2022 edit undo Cherkash (talk \| contribs) Extended confirmed users 30,408 edits m copyedit Next edit →
Line 1: In [[computing]], the '''Challenge-Handshake Authentication Protocol''' ('''CHAP''') is an [[authentication protocol]] originally used by [[Point -to ~~Point Protocol\|Point to~~ -Point Protocol]] (PPP)]] to validate users. CHAP is also carried in other authentication protocols such as [[RADIUS]] and [[Diameter]]. Almost all [[network operating system]]s support PPP with CHAP, as do most [[network access server]]s. CHAP is also used in [[PPPoE]], for authenticating DSL users. As the ~~[[Point to Point Protocol\|Point to Point Protocol (~~PPP~~)]]~~ sends data unencrypted and "in the clear", CHAP is vulnerable to any attacker who can observe the PPP session. An attacker can see the users name, CHAP challenge, CHAP response, and any other information associated with the PPP session. The attacker can then mount an offline [[~~Dictionary~~dictionary attack]] in order to obtain the original password. When used in PPP, CHAP also provides protection against [[replay attack]]s by the peer through the use of a challenge which is generated by the authenticator, which is typically a [[network access server]]. Where CHAP is used in other protocols, it may be sent in the clear, or it may be protected by a security layer such as [[Transport Layer Security~~\|Transport Layer Security~~]] (TLS)]]. For example, when CHAP is sent over [[RADIUS]] using [[User Datagram Protocol~~\|User Datagram Protocol~~]] (UDP)]], any attacker who can see the RADIUS packets can mount an offline [[~~Dictionary~~dictionary attack]], as with PPP. CHAP requires that both the client and server know the clear-text version of the password, although the password itself is never sent over the network. Thus when used in PPP, CHAP provides better security as compared to [[Password Authentication Protocol]] (PAP) which is vulnerable for both these reasons. ===Benefits of CHAP=== When the peer sends CHAP, the authentication server will receive it, and obtain the "known good" password from a database, and perform the CHAP calculations. If the resulting hashes match, then the user is deemed to be authenticated. If the hashes do not match, then the users authentication attempt is rejected. Line 18 ⟶ 17: ===Variants=== [[MS-CHAP]] is similar to CHAP but uses a different hash algorithm, and allows for each party to authenticate the other. ==Working cycle== CHAP is an authentication scheme originally used by [[Point-to-Point Protocol]] (PPP) servers to validate the identity of remote clients. CHAP periodically verifies the identity of the [[client (computing)\|client]] by using a [[handshaking\|three-way handshake]]. This happens at the time of establishing the initial [[Link Control Protocol\|link (LCP)]], and may happen again at any time afterwards. The verification is based on a [[shared secret]] (such as the client's password).<ref name="Forouzan2007">{{cite book\|author=Forouzan\|title=Data Communications & Networking 4E Sie\|url=https://books.google.com/books?id=6HaNKmfBK1oC&pg=PA352\|access-date=24 November 2012\|year=2007\|publisher=McGraw-Hill Education (India) Pvt Limited\|isbn=978-0-07-063414-5\|pages=352–}}</ref> Line 33 ⟶ 30: ==CHAP packets== {\| class="wikitable" \|- !Description !1 byte Line 40 ⟶ 36: !1 byte !Variable !Variable ~~!variable~~ \|- \|Challenge Line 46 ⟶ 42: \|ID \|Length \|Challenge ~~Length~~length \|Challenge value \|Name Line 54 ⟶ 50: \|ID \|Length \|Response ~~Length~~length \|Response value \|Name

Challenge-Handshake Authentication Protocol: Difference between revisions