Challenge-Handshake Authentication Protocol: Difference between revisions

CHAP provides protection against [[replay attack]]s by the peer through the use of an incrementally changing identifier and of a variable challenge-value. CHAP requires that both the client and server know the plaintext of the secret, although it is never sent over the network. Thus, CHAP provides better security as compared to [[Password Authentication Protocol]] (PAP) which is vulnerable for both these reasons. The [[MS-CHAP]] variant does not require either peer to know the plaintext and does not transmit it, but has been broken.<ref>{{cite web|url=https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/|title=Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate|last=|first=|year=2012|website=|publisher=[[DEF CON|David Hulton]]|archiveurlarchive-url=https://web.archive.org/web/20160316174007/https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/|archive-date=16 March 2016|accessdateaccess-date=2013-03-10}}</ref>

CHAP is an authentication scheme used by [[Point-to-Point Protocol]] (PPP) servers to validate the identity of remote clients. CHAP periodically verifies the identity of the [[client (computing)|client]] by using a [[handshaking|three-way handshake]]. This happens at the time of establishing the initial [[Link Control Protocol|link (LCP)]], and may happen again at any time afterwards. The verification is based on a [[shared secret]] (such as the client's password).<ref name="Forouzan2007">{{cite book|author=Forouzan|title=Data Communications & Networking 4E Sie|url=https://books.google.com/books?id=6HaNKmfBK1oC&pg=PA352|accessdateaccess-date=24 November 2012|year=2007|publisher=McGraw-Hill Education (India) Pvt Limited|isbn=978-0-07-063414-5|pages=352–}}</ref>

|accessdateaccess-date=2011-08-14}}</ref>