The Challenge Handshake Authentication Protocol (CHAP) is a built-in authentication protocol defined in PPP (point to point protocol). PPP, point-to-point protocol is a layer 2, data-link layer protocol, which is vendor neutral. Point to point protocol offers the authentication, compression, error detection, multilink and callback features. Thus, for authentication purposes it uses two methods. These methods are PAP (password authentication protocol) and CHAP (challenge handshake authentication protocol).
Challenge handshake authentication protocol is preferred over Password authentication protocol because it’s using an MD5 hash, so the encryption is going to be pretty big and strong. The MD5 is a message-digest algorithm which is a widely used hash function that produces a 128-bit hash value. It is used for concatenation of ID, the secret and the challenge for CHAP authentication. Challenge handshake authentication protocol is used for identity verification of two devices involved in point to point link. CHAP uses three-way handshake mechanism. These are different steps performed in the CHAP authentication process:
Once LCP (Link Control Protocol) process has completed, and CHAP is negotiated between both devices, the authenticator sends a challenge message to the peer.
The peer responds with a value calculated using one-way hash algorithm, called message digest 5 (MD5).
The authenticator checks the response value and its own calculated hash value. If the values are same, the authentication is successful or else, the connection is terminated.
This authentication process depends on a “secret” which is pre-shared by the authenticator and the peer. The authentication can either be one-way or two way(mutual).
Challenge handshake authentication protocol offers protection from the replay-attacks by an intruder through the use of an incrementally changing identifier and a variable challenge value. Challenge handshake authentication protocol provides better security management as compared to Password Authentication Protocol which is vulnerable to attacks as it sends password in clear text format, over the network which makes it easy for intruder to see the password. CHAP is an authentication method used by Point-to-Point Protocol (PPP) servers to verify the identity of their remote clients. CHAP periodically checks for the identity of the client by using a three-way handshake mechanism.
Click here to learn more about Security Certifications