Challenge Handshake Authentication Protocol (CHAP)

Challenge-Handshake Authentication Protocol (CHAP) is an identity verification protocol that does not rely on sending a shared secret between the access-requesting party and the identity-verifying party (the authenticator). CHAP is based on a shared secret, but in order to authenticate, the authenticator sends a “challenge” message to the access-requesting party, which responds with a value calculated using a “one-way hash” function that takes as inputs the challenge and the shared secret. The authenticator checks the response against its own calculation of the expected hash value.  If the values match, the authentication succeeds, otherwise it fails.  Following the establishment of an authenticated connection, the authenticator may send a challenge to the access-requesting party at random intervals, to which the access-requesting party will have to produce the correct response.


CHAP has built in measures to protect against playback attack by requiring the access-requesting party to use an incrementally changing identifier and a variable    challenge value. The authenticator is in control of the frequency and timing of the challenges. The use of repeated challenges is intended to limit the time of exposure to any single attack.

Frequently Asked Questions
What is PAP and CHAP in networking?

Password Authentication Protocol (PAP) and Challenge-Handshake Authentication Protocol (CHAP) are authentication protocols used for establishing authenticated network connections. CHAP is designed to overcome security vulnerabilities present in PAP.

What is CHAP used for?

CHAP is used by an authenticator to verify the identity of an access-requesting party.

Is CHAP encrypted?

The CHAP protocol does not require messages to be encrypted.

What is RFC 1994?

RFC 1994 is the PPP Challenge Handshake Authentication Protocol (CHAP) – it defines the use of CHAP for authenticating Point-to-Point Protocol (PPP) connections.

What is PPP how is it used in CHAP?

PPP is a Point-to-Point [connection] Protocol. Connections can be authenticated using CHAP. PPP is not used in CHAP – CHAP may be used in PPP.