Challenge Handshake Authentication Protocol (CHAP)
Challenge-Handshake Authentication Protocol (CHAP) is an identity verification protocol that does not rely on sending a shared secret between the access-requesting party and the identity-verifying party (the authenticator). CHAP is based on a shared secret, but in order to authenticate, the authenticator sends a “challenge” message to the access-requesting party, which responds with a value calculated using a “one-way hash” function that takes as inputs the challenge and the shared secret. The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication succeeds, otherwise it fails. Following the establishment of an authenticated connection, the authenticator may send a challenge to the access-requesting party at random intervals, to which the access-requesting party will have to produce the correct response.
CHAP has built in measures to protect against playback attack by requiring the access-requesting party to use an incrementally changing identifier and a variable challenge value. The authenticator is in control of the frequency and timing of the challenges. The use of repeated challenges is intended to limit the time of exposure to any single attack.
Password Authentication Protocol (PAP) and Challenge-Handshake Authentication Protocol (CHAP) are authentication protocols used for establishing authenticated network connections. CHAP is designed to overcome security vulnerabilities present in PAP.
CHAP is used by an authenticator to verify the identity of an access-requesting party.
The CHAP protocol does not require messages to be encrypted.
RFC 1994 is the PPP Challenge Handshake Authentication Protocol (CHAP) – it defines the use of CHAP for authenticating Point-to-Point Protocol (PPP) connections.
PPP is a Point-to-Point [connection] Protocol. Connections can be authenticated using CHAP. PPP is not used in CHAP – CHAP may be used in PPP.