What Is Challenge Handshake Authentication Protocol (CHAP)?
Challenge Handshake Authentication Protocol (CHAP) is a protocol used in network security for the validation of a user’s identity.
It is primarily used to authenticate a user or a network host to an authenticating entity, such as a server.
CHAP is commonly used in Point-to-Point Protocol (PPP) connections, which are often found in internet dial-up connections, Virtual Private Networks (VPN), and other network systems that require secure user authentication.
By using a one-way hash function, CHAP ensures that passwords are never sent in clear text over the network. It can be configured to periodically send a new challenge to the client, reinforcing security against session hijacking.
CHAP is more secure than PAP. It involves a three-way exchange of a shared secret. During link establishment, It conducts periodic challenges to make sure that the remote host still has a valid password value.
While PAP primarily stops working once authentication is established, this leaves the network vulnerable to attack.
How CHAP Works
After the PPP link encapsulation phase is complete, the local router sends a challenge message to the remote host.
The remote host sends a response with a value calculated using a one-way hash function, which is normally Message Digest 5 (MD5) based on the password and challenge message.
The local router checks the response from the remote host against its calculation of the expected hash value. If there is a match, the initiating host acknowledges the authentication. If the values don’t match, it immediately terminates the connection.
Advantages
CHAP protects against playback attack by using different challenge value that is unique and comes in random. Because the challenge is unique and unpredictable, the resulting hash value is also unique and random. Which makes it difficult to ‘guess’.
The use of repeated and different challenges limits the time of exposure to any single attack. The local router or a third-party authentication server is in control of the frequency and timing of the challenges.
Note:
You can enable either PAP or CHAP or both on a network. If both authentications are enabled, PAP is requested during link negotiation. If the network device suggests using CHAP or simply refuses the first method, the second method is tried. Some remote devices support CHAP only and some PAP only. It is highly recommended to use both on a Cisco router for maximum data security.
PAP usernames and passwords are sent as clear-text strings and can be intercepted and reused. CHAP has eliminated most of the known security holes
The Branch Router initiates the 3-way handshake and sends a challenge message to the router HQ HQ in response to the Branch’s CHAP challenge by sending its username and password. The branch checks HQ’s username and password in it are a local database for a possible match, if there is a match, it accepts the connection. If not, it rejects.
Remote Office router
| RO#config t RO(config-if)#username HQ password orbit RO(config-if)#encapsulation pppRO(config-if)# ppp authentication chap RO(config-if)#endHQ router |
| HQ#config t HQ(config-if)#username RO password orbit HQ(config-if)#encapsulation pppRO(config-if)# ppp authentication chap HQ(config-if)#endRELATED ARTICLES |
CHAP operates by challenging the client to prove its identity, with the authenticating entity sending a random string of characters to the client. The client then uses a one-way hash function to encrypt the random string along with its password, and sends the result back to the server.
If the server is able to replicate the same hash value using its stored password for the client, the authentication is successful. This process helps to prevent replay attacks and ensures that the client’s password is never sent over the network in plain text.
