CHAP (Challenge-Handshake Authentication Protocol) By

Home » What Does Chap Stand For Networking » CHAP (Challenge-Handshake Authentication Protocol) By

Maybe your like

  • Home
  • Identity and access management
  • Share this item with your network:
Peter Loshin By
  • Peter Loshin, Former Senior Technology Editor
Published: Sep 29, 2021

What is CHAP (Challenge-Handshake Authentication Protocol)?

CHAP (Challenge-Handshake Authentication Protocol) is a challenge and response authentication method that Point-to-Point Protocol (PPP) servers use to verify the identity of a remote user. CHAP authentication begins after the remote user initiates a PPP link.

CHAP enables remote users to identify themselves to an authenticating system, without exposing their password. With CHAP, authenticating systems use a shared secret -- the password -- to create a cryptographic hash using the MD5 message digest algorithm.

CHAP uses a three-way handshake to verify and authenticate the identity of the user, whereas the Password Authentication Protocol (PAP) uses a two-way handshake for authentication between the remote user and PPP server.

Designed to be used with PPP for authenticating remote users, CHAP is applied periodically during a remote session to reauthenticate the user. PAP and CHAP are primarily intended for remote connections over dial-up lines or switched circuits, as well as for dedicated links.

PAP and CHAP are commonly used for negotiating a network connection to an internet service provider. CHAP is specified in Request for Comments 1994.

How does CHAP work?

Here's how CHAP works:

  1. After the link is made, the server sends a challenge message to the connection requestor.
  2. The requestor responds with a value obtained by using a one-way hash function known as MD5.
  3. The server checks the response by comparing it with its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise, the connection is usually terminated.

The server can send a new challenge to the requestor randomly during the session to reauthenticate the requestor. Steps 1 through 3 are then repeated.

At any time, the server can request the connected party to send a new challenge message. Because CHAP identifiers are changed frequently and authentication can be requested by the server at any time, CHAP provides more security than PAP.

CHAP three-way handshake
CHAP uses a three-way handshake protocol to authenticate users over PPP sessions.

Types of CHAP packets

PPP carries CHAP packets between the authenticator and the requestor. CHAP packets consist of a header, which includes the following:

  • Code field, which contains an eight-bit code identifying the type of CHAP packet being sent -- valid values are 1 to 4;
  • Identifier field, which is an arbitrary eight-bit ID identifying the packet as belonging to an authentication sequence;
  • Length field, which contains the number of bytes in the CHAP packet; and
  • Data field, which includes any data being requested or submitted and values depending on the type of CHAP packet it is being carried in.

Further reading

CHAP and PAP were among the first attempts to implement secure remote access, and understanding the differences between CHAP and PAP is just the first step.

CHAP integrates with the Remote Authentication Dial-In User Service, or RADIUS, protocol. Kerberos offers a more sophisticated and secure tool for remote user authentication.

Learning the differences between CHAP and Extensible Authentication Protocol, Lightweight Extensible Authentication Protocol and Wi-Fi Protected Access version 2 protocol will help IT pros make the best decision.

CHAP works with four different types of packet. Each packet is identified by the value of its Code field, as follows:

  1. The authenticating system -- usually a network access server or switch -- sends a CHAP Challenge packet to start the authentication process. After a PPP session is initiated, the system or network being accessed can demand that the remote user authenticate. The Challenge includes the authenticator's host name.
  2. The remote user's system must send a CHAP Response packet in response to a Challenge. The remote system sends a secure hash based on the remote user's password in the Response packet. The authenticator compares the hash of the user's password with the expected value. The remote user is authenticated if they match; otherwise, the authentication fails.
  3. The authenticating system -- the network access server-- sends a CHAP Success packet if the remote user's hash matches the hash expected by the server.
  4. The authenticating system sends a CHAP Failure packet if the remote user's password hash does not match the value sent by the user.

If the remote system fails to respond to a Challenge packet, the authenticator can repeat the process. The authenticator terminates the remote user's access if they can't authenticate.

CHAP vs. PAP

CHAP is a more secure procedure for connecting to a system than PAP.

The PAP and CHAP authentication schemes were both originally specified for authenticating remote users connecting to networks or systems using PPP. CHAP's three-way handshake protocol provides stronger protection against password guessing and eavesdropping attacks than PAP's two-way handshake.

CHAP vs. PAP
CHAP and PAP differ in several ways, most notably being that CHAP is more secure than PAP.

Authenticating with PAP requires the remote user to submit their username and password, and the authenticating system then either permits or denies the user access based on those credentials.

PAP two-way handshake
PAP is a simple two-way handshake for authenticating remote users.

CHAP secures the authentication process by using a more sophisticated protocol. CHAP implements a three-way handshake protocol to be used after the host establishes a PPP connection with the remote resource.

PAP defines a two-way handshake for a remote user to initiate remote access:

  1. The remote system sends a username and password, repeating the transmission until the network access server responds.
  2. The network access server transmits an authentication acknowledgement if the credentials are authenticated. If the credentials are not authenticated, the network access server sends a negative acknowledgment.

While PAP may be used as a bare minimum protocol to enable a remote user to initiate a network connection, CHAP provides a more secure authentication protocol.

Continue Reading About CHAP (Challenge-Handshake Authentication Protocol)

  • The top 7 identity and access management risks
  • What is secure remote access in today's enterprise?
  • IPsec vs. SSL VPN: Comparing speed, security risks and technology
  • Wireless network configuration basics: 5 steps to follow
  • What are the most common digital authentication methods?

Related Terms

What is a message authentication code (MAC)? How it works and best practices A message authentication code (MAC) is a cryptographic checksum applied to a message to guarantee its integrity and authenticity. See complete definition What is biometric authentication? Biometric authentication is a security process that relies on the unique biological characteristics of individuals to verify ... See complete definition What is identity and access management? Guide to IAM No longer just a good idea, IAM is a crucial piece of the cybersecurity puzzle. It's how an organization regulates access to ... See complete definition

Dig Deeper on Identity and access management

  • What is Point-to-Point Protocol over Ethernet (PPPoE)?
    ScottRobinson By: Scott Robinson
  • Use these 6 user authentication types to secure networks
    KyleJohnson By: Kyle Johnson
  • Health Literacy, Care Access Barriers to Cervical Cancer Screening
    SaraHeath By: Sara Heath
  • NVMe-oF over IP: A complete SAN platform
Sponsored News
  • 3 Transformative VDI Use Cases for Hybrid Work –Dell Technologies
  • Hybrid Work Drives New Criteria for VDI and DaaS –Dell Technologies
  • See More
Vendor Resources
  • 3 Types of PKI Certificates and Their Use Cases –TechTarget
  • The 5 Different Types of Firewalls Explained –TechTarget
Latest TechTarget resources
  • Networking
  • CIO
  • Enterprise Desktop
  • Cloud Computing
  • Computer Weekly
Search Networking
  • Licensed vs. unlicensed spectrum: Key differences

    Licensed spectrum is reliable and has better performance than unlicensed, which is low cost, easy to deploy and subject to ...

  • What are the different types of network cables?

    The main types of network cables are coax, fiber optics, and shielded and unshielded twisted pair. As enterprises deploy new ...

  • Macrocell vs. small cell vs. femtocell: A 5G introduction

    Macrocells, small cells and femtocells each play distinct roles in 5G, balancing coverage, speed, cost and indoor connectivity ...

Search CIO
  • The hidden risks of buy now, pay later

    Buy now, pay later offers consumers speed and flexibility, but its operational and regulatory demands are exposing weaknesses ...

  • AI surge fuels dramatic transformation of CIO role

    As AI continues to move into the enterprise, the CIO's role is rapidly expanding into AI leadership, scaling AI responsibly and ...

  • Strategic IT outlook: Tech conferences and events calendar

    Tech conferences are a vital way for CIOs and IT leaders to keep abreast of trends and make real-life connections in a ...

Search Enterprise Desktop
  • How to use Windows Check Disk to maintain disk health

    Using built-in Windows tools such as Check Disk and SMART helps organizations reduce risks associated with disk errors, extend ...

  • How IT admins can check BIOS or UEFI versions in Windows 11

    Firmware, such as BIOS or UEFI, plays a crucial role in how securely a Windows device starts and operates. Organizations need to ...

  • Microsoft opens Copilot agent building to office rank and file

    The battle for desktop agent mindshare heats up. Microsoft is the latest to arm everyday office workers with tools to make their ...

Search Cloud Computing
  • Nutanix sovereign cloud hits Broadcom with multi-cloud hook

    Nutanix expands its differentiation from Broadcom with a distributed sovereign cloud approach that supports both self-managed and...

  • Plan for repatriation on day one with a hybrid cloud strategy

    In the next 2 years, 87% of orgs plan to repatriate workloads off public cloud. Discover how an exit strategy, paired with hybrid...

  • AWS CloudOps hones multi-cloud support for AI, resilience

    Network, observability and Kubernetes management news at re:Invent aligned around themes of multi-cloud scale and resilience amid...

ComputerWeekly.com
  • Top 10 police technology stories of 2025

    Here are Computer Weekly’s top 10 police technology stories of 2025

  • Top 10 business applications stories of 2025

    There is no doubt what took centre stage in the theatre of business applications in 25: agentic AI, surpassing pre-2022 AI, and ...

  • Top 10 surveillance, journalism and encryption stories of 2025

    A transatlantic row between the UK and the Trump administration erupted after the UK attempted to force Apple to break its ...

Close

Tag » What Does Chap Stand For Networking