CHAP (Challenge-Handshake Authentication Protocol) By

Home » What Does Chap Stand For Networking » CHAP (Challenge-Handshake Authentication Protocol) By

Maybe your like

  • Home
  • Identity and access management
  • Share this item with your network:
Peter Loshin By
  • Peter Loshin, Former Senior Technology Editor
Published: Sep 29, 2021

What is CHAP (Challenge-Handshake Authentication Protocol)?

CHAP (Challenge-Handshake Authentication Protocol) is a challenge and response authentication method that Point-to-Point Protocol (PPP) servers use to verify the identity of a remote user. CHAP authentication begins after the remote user initiates a PPP link.

CHAP enables remote users to identify themselves to an authenticating system, without exposing their password. With CHAP, authenticating systems use a shared secret -- the password -- to create a cryptographic hash using the MD5 message digest algorithm.

CHAP uses a three-way handshake to verify and authenticate the identity of the user, whereas the Password Authentication Protocol (PAP) uses a two-way handshake for authentication between the remote user and PPP server.

Designed to be used with PPP for authenticating remote users, CHAP is applied periodically during a remote session to reauthenticate the user. PAP and CHAP are primarily intended for remote connections over dial-up lines or switched circuits, as well as for dedicated links.

PAP and CHAP are commonly used for negotiating a network connection to an internet service provider. CHAP is specified in Request for Comments 1994.

How does CHAP work?

Here's how CHAP works:

  1. After the link is made, the server sends a challenge message to the connection requestor.
  2. The requestor responds with a value obtained by using a one-way hash function known as MD5.
  3. The server checks the response by comparing it with its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise, the connection is usually terminated.

The server can send a new challenge to the requestor randomly during the session to reauthenticate the requestor. Steps 1 through 3 are then repeated.

At any time, the server can request the connected party to send a new challenge message. Because CHAP identifiers are changed frequently and authentication can be requested by the server at any time, CHAP provides more security than PAP.

CHAP three-way handshake
CHAP uses a three-way handshake protocol to authenticate users over PPP sessions.

Types of CHAP packets

PPP carries CHAP packets between the authenticator and the requestor. CHAP packets consist of a header, which includes the following:

  • Code field, which contains an eight-bit code identifying the type of CHAP packet being sent -- valid values are 1 to 4;
  • Identifier field, which is an arbitrary eight-bit ID identifying the packet as belonging to an authentication sequence;
  • Length field, which contains the number of bytes in the CHAP packet; and
  • Data field, which includes any data being requested or submitted and values depending on the type of CHAP packet it is being carried in.

Further reading

CHAP and PAP were among the first attempts to implement secure remote access, and understanding the differences between CHAP and PAP is just the first step.

CHAP integrates with the Remote Authentication Dial-In User Service, or RADIUS, protocol. Kerberos offers a more sophisticated and secure tool for remote user authentication.

Learning the differences between CHAP and Extensible Authentication Protocol, Lightweight Extensible Authentication Protocol and Wi-Fi Protected Access version 2 protocol will help IT pros make the best decision.

CHAP works with four different types of packet. Each packet is identified by the value of its Code field, as follows:

  1. The authenticating system -- usually a network access server or switch -- sends a CHAP Challenge packet to start the authentication process. After a PPP session is initiated, the system or network being accessed can demand that the remote user authenticate. The Challenge includes the authenticator's host name.
  2. The remote user's system must send a CHAP Response packet in response to a Challenge. The remote system sends a secure hash based on the remote user's password in the Response packet. The authenticator compares the hash of the user's password with the expected value. The remote user is authenticated if they match; otherwise, the authentication fails.
  3. The authenticating system -- the network access server-- sends a CHAP Success packet if the remote user's hash matches the hash expected by the server.
  4. The authenticating system sends a CHAP Failure packet if the remote user's password hash does not match the value sent by the user.

If the remote system fails to respond to a Challenge packet, the authenticator can repeat the process. The authenticator terminates the remote user's access if they can't authenticate.

CHAP vs. PAP

CHAP is a more secure procedure for connecting to a system than PAP.

The PAP and CHAP authentication schemes were both originally specified for authenticating remote users connecting to networks or systems using PPP. CHAP's three-way handshake protocol provides stronger protection against password guessing and eavesdropping attacks than PAP's two-way handshake.

CHAP vs. PAP
CHAP and PAP differ in several ways, most notably being that CHAP is more secure than PAP.

Authenticating with PAP requires the remote user to submit their username and password, and the authenticating system then either permits or denies the user access based on those credentials.

PAP two-way handshake
PAP is a simple two-way handshake for authenticating remote users.

CHAP secures the authentication process by using a more sophisticated protocol. CHAP implements a three-way handshake protocol to be used after the host establishes a PPP connection with the remote resource.

PAP defines a two-way handshake for a remote user to initiate remote access:

  1. The remote system sends a username and password, repeating the transmission until the network access server responds.
  2. The network access server transmits an authentication acknowledgement if the credentials are authenticated. If the credentials are not authenticated, the network access server sends a negative acknowledgment.

While PAP may be used as a bare minimum protocol to enable a remote user to initiate a network connection, CHAP provides a more secure authentication protocol.

Continue Reading About CHAP (Challenge-Handshake Authentication Protocol)

  • The top 7 identity and access management risks
  • What is secure remote access in today's enterprise?
  • IPsec vs. SSL VPN: Comparing speed, security risks and technology
  • Wireless network configuration basics: 5 steps to follow
  • What are the most common digital authentication methods?

Related Terms

What is a message authentication code (MAC)? How it works and best practices A message authentication code (MAC) is a cryptographic checksum applied to a message to guarantee its integrity and authenticity. See complete definition What is biometric authentication? Biometric authentication is a security process that relies on the unique biological characteristics of individuals to verify ... See complete definition What is identity and access management? Guide to IAM No longer just a good idea, IAM is a crucial piece of the cybersecurity puzzle. It's how an organization regulates access to ... See complete definition

Dig Deeper on Identity and access management

  • What is Point-to-Point Protocol over Ethernet (PPPoE)?
    ScottRobinson By: Scott Robinson
  • Use these 6 user authentication types to secure networks
    KyleJohnson By: Kyle Johnson
  • Health Literacy, Care Access Barriers to Cervical Cancer Screening
    SaraHeath By: Sara Heath
  • NVMe-oF over IP: A complete SAN platform
Sponsored News
  • 3 Transformative VDI Use Cases for Hybrid Work –Dell Technologies
  • Hybrid Work Drives New Criteria for VDI and DaaS –Dell Technologies
  • See More
Vendor Resources
  • Securus and its brands revolutionize corrections technology that meets the ... –Aventiv Technologies
  • 3 Types of PKI Certificates and Their Use Cases –TechTarget
Latest TechTarget resources
  • Networking
  • CIO
  • Enterprise Desktop
  • Cloud Computing
  • Computer Weekly
Search Networking
  • AI-driven self-healing networks bring new capabilities

    Self-healing networks use AI to continuously monitor, diagnose and fix issues autonomously, shifting IT from reactive ...

  • Why network modernization is crucial for business continuity

    Network modernization is a business continuity imperative, reducing risks from legacy systems while boosting performance, ...

  • Data quality gaps undermine the promise of agentic NetOps

    EMA's NetOps survey finds only 44% trust their network data for AI. Packet and config data create major risk, so teams must ...

Search CIO
  • Inside a CIO's mind: Mastering time and knowing the business

    CIO Sean McCormack explains how he balances strategy, vendors and frontline engagement -- and why his to-do list lives on his ...

  • CIOs are feeling the pressure of the AI leadership gap

    In this Q&A, Wendy Lynch, founder of Analytic Translator, discusses how CIOs need to close a leadership gap to overcome the huge ...

  • Why companies should be sustainable and how IT can help

    Pressure is mounting for the business sector to address its environmental footprint and become more sustainable. Here's a look at...

Search Enterprise Desktop
  • When SaaS softens the OS -- but doesn't erase it

    As Windows 10 retires and SaaS reduces OS dependence, Linux desktops are re-emerging as a viable enterprise option driven by cost...

  • How to fix Windows 11 when it keeps restarting

    When a Windows 11 desktop keeps restarting, there are a few factors that might be behind the issue. IT administrators should ...

  • 12 best patch management software and tools for 2026

    These 12 tools approach patching from different perspectives. Understanding their various approaches can help you find the right ...

Search Cloud Computing
  • GenAI drives $119B cloud revenue in Q4

    Q4 cloud infrastructure service revenues reach $119.1 billion, bringing the 2025 total to $419 billion. See how much market share...

  • Cloud infrastructure suffers AI growing pains

    Will $5 trillion in AI infrastructure investment be enough? Cloud providers facing that question must also yield a return, ...

  • 8 reasons why IT leaders are embracing cloud repatriation

    As IT leaders aggressively re-allocate capital to fund new AI initiatives, repatriation offers both savings and greater control, ...

ComputerWeekly.com
  • NHS publishes tech-laden cancer plan

    The 10-year plan promises to transform cancer care through use of artificial intelligence, robotic surgeries and access to ...

  • Australia’s CommBank partners business school to research artificial intelligence

    CommBank wants to better understand how its customers perceive, use and trust artificial intelligence, as the technology is set ...

  • Private LTE/5G networks reached 6,500 deployments in 2025

    Analysis of private 5G market finds steadily growing market that is increasingly driven by organic demand from end users, with ...

Close

Tag » What Does Chap Stand For Networking