CHAP (Challenge-Handshake Authentication Protocol)

CHAP (Challenge-Handshake Authentication Protocol) is a more secure procedure for connecting to a system than the Password Authentication Procedure (PAP). Here's how CHAP works:

  1. After the link is made, the server sends a challenge message to the connection requestor. The requestor responds with a value obtained by using a one-way hash function.
  2. The server checks the response by comparing it its own calculation of the expected hash value.
  3. If the values match, the authentication is acknowledged; otherwise theconnection is usually terminated.

At any time, the server can request the connected party to send a new challenge message. Because CHAP identifiers are changed frequently and because authentication can be requested by the server at any time, CHAP provides more security than PAP. RFC1334 defines both CHAP and PAP.

This was last updated in June 2005

Next Steps

The multitude of authentication protocols can make any anyone’s head spin. Learning the difference between EAP and LEAP or WPA2 and Cisco’s LEAP security will help IT pros make the best decision. As products like vSphere support changes with the iSCI initiator authentication and CHAP or security pros learn what they need to know with Hyper-V high availability storage, understanding the authentication protocols will help keep their enterprise safe.

To read more about authentication protocols like multifactor authentication, you can get started by reading a primer on multifactor authentication in the enterprise. Then read our deep dive into MFA tools to get the inside scoop on the product landscape, and, finally, read about how to build a business case for MFA.

Continue Reading About CHAP (Challenge-Handshake Authentication Protocol)

Dig Deeper on Web authentication and access control