Challenge-Handshake Authentication Protocol (CHAP)

CHAP is an encrypted authentication mechanism that avoids transmission of the actual password on the connection. The Network Access Server sends a challenge, which consists of a session identifier (ID) and an arbitrary challenge string, to the remote client. The remote client must use the MD5 one-way hashing algorithm to return the user name and an encryption of the challenge, the session ID, and the client's password. The user name is sent unhashed.

CHAP is an improvement over Password Authentication Protocol because the clear text password is not sent over the link. Instead, the password is used to create an encrypted hash from the original challenge. The server knows the client's clear-text password, and can therefore replicate the operation and compare the result to the password sent in the client's response. CHAP protects against replay attacks by using an arbitrary challenge string for each authentication attempt. CHAP protects against remote client impersonation by unpredictably sending repeated challenges to the remote client throughout the duration of the connection.

Registry Settings

The following example shows the registry settings for CHAP.

[HKEY_LOCAL_MACHINE\Comm\EAP\Extension\4]
    "FriendlyName"="MD5-Challenge"
    "InvokePasswordDialog"=dword:1
    "InvokeUserNameDialog"=dword:1
    "Path"="eapchap.dll"

See Also

EAP Authentication Protocols | Authentication Protocols

 Last updated on Thursday, April 08, 2004

© 1992-2003 Microsoft Corporation. All rights reserved.