Site home page
Get alerts when Linktionary is updated
Book updates and addendums
Get info about the Encyclopedia of Networking and Telecommunicatons, 3rd edition (2001)
Download the electronic version of the Encyclopedia of Networking, 2nd edition (1996). It's free!
Contribute to this site
Electronic licensing info
CHAP (Challenge Handshake Authentication Protocol)
Note: Many topics at this site are reduced versions of the text in "The Encyclopedia of Networking and Telecommunications." Search results will not be as extensive as a search of the book's CD-ROM.
CHAP is an authentication protocol used for remote logon, usually between a client and server or Web browser and Web server. A challenge/response is a security mechanism for verifying the identity of a person or process without revealing a secret password that is shared by the two entities. It is also referred to as a three-way handshake. An important concept related to CHAP is that the client must prove to the server that it knows a shared secret without actually revealing the secret (sending the secret across the wire could reveal it to an eavesdropper). CHAP provides a mechanism for doing this.
When a client contacts a system that uses CHAP, the system (herein called the authenticator) responds by sending the client a "challenge." The challenge is some information that is unique for this authentication session. The client then takes this information and encrypts it using a previously issued password that is shared by both the client and authenticator. The result of this operation is then returned to the authenticator. The authenticator has the same password and uses it as a key to encrypt the information it previously sent to the client. It compares its results with the encrypted results sent by the client. If they are the same, the client is assumed to be authentic.
These schemes are often called "proof of possession" protocols. The challenge requires that an entity prove possession of a shared key or one of the key pairs in a public key scheme.
This procedure is repeated throughout the session to verify that the correct client is still connected. Repeating these steps prevents someone from "stealing" the client's session by "replaying" information that was intercepted on the line.
More specific information about CHAP, including step-by-step explanations and illustrations may be found in "The Encyclopedia of Networking and Telecommunications."
Several Internet RFCs cover CHAP in more detail. These are RFC 1994 (PPP Challenge Handshake Authentication Protocol, August 1996), RFC 2433 (Microsoft PPP CHAP Extensions, October 1998), and RFC 2759 (Microsoft PPP CHAP Extensions version 2, January 2000).
Copyright (c) 2001 Tom Sheldon and Big Sur Multimedia.