The Secret Security Wiki

Categories
Categories

Challenge Handshake Authentication Protocol

Challenge-Handshake Authentication Protocol (CHAP) is an identity verification protocol that does not rely on sending a shared secret between the access-requesting party and the identity-verifying party (the authenticator). CHAP is based on a shared secret, but in order to authenticate, the authenticator sends a “challenge” message to the access-requesting party, which responds with a value calculated using a “one-way hash” function that takes as inputs the challenge and the shared secret. The authenticator checks the response against its own calculation of the expected hash value.  If the values match, the authentication succeeds, otherwise it fails.  Following the establishment of an authenticated connection, the authenticator may send a challenge to the access-requesting party at random intervals, to which the access-requesting party will have to produce the correct response.

CHAP has built in measures to protect against playback attack by requiring the access-requesting party to use an incrementally changing identifier and a variable challenge value. The authenticator is in control of the frequency and timing of the challenges. The use of repeated challenges is intended to limit the time of exposure to any single attack.