Nowadays authentication is used as the first step for security on every platform. It is a highly recommended way to secure a network against intrusion. Challenge-Handshake Authentication Protocol (CHAP) is one of the most commonly used authentication protocols worldwide, normally for remote logon purposes. It authenticates the user to the authenticating authority, generally a server, and to do that it performs a three-way handshake to verify the identity of a peer by sending a challenge message to the peer after the Link Control Protocol (LCP) phase is completed. The peer then responds by sending the value calculated by performing the one-way hash function. And if the value sent by the peer matches the value calculated by itself, then the authentication is successful.
CHAP is a very important and reliable protocol for authentication and it has various advantages over other authenticating protocols. It works on the concept of sharing a secret between the authenticating entity and the peer, but this secret is never revealed over the network, hence it increases the integrity of the authentication process. In this, the identity is authenticated by proving to the authentication entity that it knows the secret without actually telling the secret. CHAP is considered more secure than PAP (Password Authentication Protocol) as it saves the connection against the replay attacks by the peer, and unlike PAP, it does not send secret as plain text over the network, therefore saving the password, and in turn the session, from the eavesdropper. It incrementally changes the identifier and variable challenge value at a set frequency and time, hence it helps save a network from playback attacks as the exposure of the network to a single attack decreases significantly by using changing challenge values. However, the CHAP authentication is one-way only, but it can be made mutual by implementing CHAP in both directions. To make the communication more secure, CHAP does not rely on authenticating only at the start-up, but also at the regular intervals throughout the communication, by sending challenges, to make sure that there has been no intrusion in the network. The use of multiple username-secret pairs is also possible with CHAP and the secret can also be changed at any time during the session.
In conclusion, it can be said that CHAP not only helps in creating a secure session by authenticating the peer, but it also helps in verifying that authentication by periodically checking the integrity of the connection throughout.
For More info Click here