Challenge-Handshake Authentication Protocol (CHAP)

The Challenge-Handshake Authentication Protocol (CHAP) provides password authentication on initial link establishment, based on a three-way handshake mechanism. It depends on a CHAP secret, known only to the authenticator and its peer, which is not transmitted over the link.

When CHAP authentication is requested by one end of the link, it generates a challenge message that includes a challenge value, which is calculated from the CHAP secret. The other end must respond to the challenge message with a response value, which is calculated from the challenge value received, and the common secret. If it fails to respond, or if the response does not correspond to that expected by the authenticator, the link is closed.

CHAP is a stronger authentication method than PAP, because the secret is not transmitted over the link, and because it provides protection against repeated attacks during the life of the link. As a result, if both PAP and CHAP authentication are enabled, CHAP authentication is always performed first.

CHAP authentication may be requested by one end of the link only, or by both ends of the link simultaneously. If both ends request CHAP authentication, they exchange challenge and response messages. Authentication must be successful at both ends, or the link is closed.