An encrypted authentication scheme in which the unencrypted password is not transmitted over the network. Challenge Handshake Authentication Protocol (CHAP) is one of several authentication schemes used by the Point-to-Point Protocol (PPP), a serial transmission protocol for wide area network (WAN) connections. Other authentication schemes supported by PPP include Password Authentication Protocol (PAP), Shiva Password Authentication Protocol (SPAP), and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP). PAP is a widely implemented authentication protocol, but CHAP is more secure than PAP because CHAP encrypts the transmitted password, while PAP does not. SPAP and MS-CHAP are vendor-specific implementations.
A typical CHAP session during the PPP authentication process works something like this:
To guard against replay attacks, the challenge string is chosen arbitrarily for each authentication attempt. To protect against remote client impersonation, CHAP sends repeated, random interval challenges to the client to maintain the session.
CHAP is supported by the Remote Access Service (RAS) on Microsoft Windows NT and the Routing and Remote Access feature of Windows 2000 as a way to allow non-Microsoft clients to dial in and receive authentication for a RAS session, and to allow Microsoft RAS clients to connect to any industry-standard PPP server.