Challenge-Handshake Authentication Protocol (CHAP)
CHAP is a more secure procedure for connecting to a system than the Password Authentication Procedure (PAP). Here's how CHAP works:
At any time, the server can request the connected party to send a new challenge message. Because CHAP identifiers are changed frequently and because authentication can be requested by the server at any time, CHAP provides more security than PAP. RFC1334 defines both CHAP and PAP.
- After the link is made, the server sends a challenge message to the connection requester. The requester responds with a value obtained by using a one-way hash function.
- The server checks the response by comparing it its own calculation of the expected hash value.
- If the values match, the authentication is acknowledged; otherwise the connection is usually terminated.
At any time, the server can request the connected party to send a new challenge message. Because CHAP identifiers are changed frequently and because authentication can be requested by the server at any time, CHAP provides more security than PAP. RFC1334 defines both CHAP and PAP.