CHAP- Challenge Handshake Authentication Protocol is a Point-to-point protocol authentication protocol. It is a process of authenticating a user to a network, that could be any server, online or internet service provider. It is used at the start of the link and performs periodic check-ups to see if the router continues to be communicating with the same host. CHAP is primarily used for security purposes.
CHAP ensures that the server sends a challenge to the client after the client establishes a network connection to access a web server. This challenge is received via the same network line. The client uses a hash function to calculate a particular value that is then sent to the server, that match the incoming value against the server’s calculated value. If the value match, the client is granted server access. Otherwise, the connection is automatically terminated. This procedure is randomly adopted by peers and continuously send calculated values to an authenticating server, that continuously authenticates peers based on calculated values.
There are 4 types of CHAP packets:
- Challenge packet: It sent by the authenticator to peer, at the starting of the CHAP 3-way Handshake. It contains Identifier value, value field which contains random value and name field which contains name of the authenticator. The name field is used for password look up.
- Response Packet: It is used to response to the challenge packet. It contains the value field which contains one-way hash value generated, identifier value and also the name field. The Name field of the Response packet is set to the hostname of the peer router. Now, the Name field of Challenge packet is searched for the password. The router looks up for an entry that matches the username within the Name field of the Challenge packet and gets the password. Then one-way hash value is generated. This value is inserted into the value field of response packet and sent to the authenticator.
- Success packet: Now, the authenticator also performs the same thing by looking up in name field of the response packet and by using that it generates a hash value. If the value generated is same as peer, then the success packet is sent.
- Failure packet: If the generated value is different then, the failure packet is sent to the peer.
Features of CHAP:
- It uses three-way handshaking protocol. First, the authenticator sends a challenge packet to the peer then, the peer responds with a value using its one-way hash function. The authenticator then matches the received value with its own calculated hash value. If the values match then the authentication is acknowledged otherwise, the connection is terminated.
- It uses one-way hash function called MD5.
- It also authenticates periodically to check if the communication is taking place with the same device or not.
- Also, it provides more security than PAP (Password Authentication Procedure) as the value used is changed variably.
- CHAP requires to know the plaintext of the secret as it is never sent over the network.
Info about Cisco Exam