Remote Access Server |
The Challenge Handshake Authentication Protocol (CHAP) is a challenge-response authentication protocol documented in RFC 1994 that uses the industry-standard Message Digest 5 (MD5) one-way encryption scheme to hash the response to a challenge issued by the remote access server.
CHAP is used by various vendors of dial-in servers and clients. CHAP is supported by both the Windows 2000 remote access server and remote access client.
CHAP is an improvement over PAP and SPAP in that the password is never sent over the link. Instead, the password is used to create a one-way hash from a challenge string. The server, knowing the client's password, can duplicate the operation and compare the result with that sent in the client's response.
The use of CHAP is negotiated during Phase 1 by specifying the authentication protocol LCP option (type 3), the authentication protocol 0xC2-23, and the algorithm 0x05. Once LCP negotiation is complete, CHAP messages use the PPP Protocol ID of 0xC2-23.
CHAP authentication is an exchange of three messages:
CHAP protects against replay attacks by using an arbitrary challenge string per authentication attempt. However, CHAP does not protect against remote server impersonation.
CHAP requires that local or domain passwords be stored in a reversibly encrypted form. For more information, see Windows 2000 Server Help.