Revision as of 20:17, 13 April 2022 edit Alandekok (talk \| contribs) 47 edits minor english ← Previous edit		Revision as of 03:08, 14 April 2022 edit undo Dawnseeker2000 (talk \| contribs) Autopatrolled, Extended confirmed users, File movers, New page reviewers, Pending changes reviewers, Rollbackers 535,883 edits m Disambiguating links to TLS (link changed to Transport Layer Security) using DisamAssist. Next edit →
Line 5: As the [[Point to Point Protocol\|Point to Point Protocol (PPP)]] sends data unencrypted and "in the clear", CHAP is vulnerable to any attacker who can observe the PPP session. An attacker can see the users name, CHAP challenge, CHAP response, and any other information associated with the PPP session. The attacker can then mount an offline [[Dictionary attack]] in order to obtain the original password. When used in PPP, CHAP also provides protection against [[replay attack]]s by the peer through the use of a challenge which is generated by the authenticator, which is typically a [[network access server]]. Where CHAP is used in other protocols, it may be sent in the clear, or it may be protected by a security layer such as [[~~TLS~~Transport Layer Security\|Transport Layer Security (TLS)]]. For example, when CHAP is sent over [[RADIUS]] using [[User Datagram Protocol\|User Datagram Protocol (UDP)]], any attacker who can see the RADIUS packets can mount an offline [[Dictionary attack]], as with PPP. CHAP requires that both the client and server know the clear-text version of the password, although the password itself is never sent over the network. Thus when used in PPP, CHAP provides better security as compared to [[Password Authentication Protocol]] (PAP) which is vulnerable for both these reasons.

Challenge-Handshake Authentication Protocol: Difference between revisions