What is CHAP (Challenge-Handshake Authentication Protocol)?


When looking for an authentication protocol to improve your network security, there are a number of options to implement. Most people have some familiarity with a VPN, or Virtual Private Network, or more specifically a business VPN.

CHAP, or Challenge-Handshake Authentication Protocol, stands as a robust and widely employed authentication method within computer networking. Developed as a part of the Point-to-Point Protocol (PPP), CHAP enhances network security by establishing a secure and mutual authentication process between a client and a server. Unlike simpler authentication methods that transmit passwords in plaintext, CHAP employs a challenge-response mechanism.

The most common type of PPP connection that this protocol is used for is for dial-up internet access, or for a connection to a virtual private network, also known as a VPN. When it comes to security, understanding the difference between authentication vs. authorization, multi-factor authentication, and two-factor authentication is key. Here, though, we’ll talk specifically about CHAP.

What is CHAP (Challenge-Handshake Authentication Protocol)

CHAP, also known as Challenge-Handshake Authentication Protocol, is a challenge and response authentication method used in Point-to-Point Protocol (PPP) servers. The purpose is to verify the identity of a remote user accessing the network. CHAP authentication begins when the user of remote access initiates a PPP link.

How Does It Work?

CHAP is an authentication scheme that was originally utilized by Point-to-Point Protocol (PPP) servers to validate the identity of remote clients. CHAP verifies the identity of the client by using a three-way handshake. This occurs during the establishment of the initial link (known as LCP) and can occur again at any point thereafter. The verification is based on a shared secret (such as the client’s password).

  1. Once the link establishment phase is finished, the authenticator sends a “challenge” message to the peer.
  2. The peer generates a response by applying a one-way hash function to the combination of the challenge and the secret.
  3. The authenticator verifies the response by comparing it to its own calculated hash value. If the hash values match, the authenticator will then acknowledge the authentication; if not, it should terminate the connection.
  4. In PPP, the authenticator has the ability to send a new challenge at random intervals to the peer and repeat steps 1 through 3. However, when CHAP is used in most situations like RADIUS, this step is not performed.

Prior to the initiation of the handshake process, both the client and the server must possess each other’s credentials, which includes their shared secret, stored. After establishing a Point-to-Point Protocol (PPP) link, the client prompts the server by transmitting solely their username (excluding the password) through the connection.

  • The server initiates the communication by sending a CHAP “challenge” packet to the client and requesting a shared secret in response. This marks the first step in the three-way handshake process.
  • The second step involves the client providing the server with a valid, encrypted answer that includes the shared secret. This step is part of the three-way handshake process.
  • After the completion of the task, the server will proceed to authenticate the client if the client’s response aligns with the server’s expectations. This authentication step marks the final stage of the three-way handshake.

Advantages of CHAP

The advantages of Challenge-Handshake Authentication Protocol (CHAP) make it the preferable choice to provide authentication. These advantages include:

Strong Authentication

CHAP offers strong authentication by the use of mutual authentication. Because both the client and the server are authenticating each other, it reduces the risk of unauthorized access.

High Level of Security

CHAP generates dynamic challenges for each authentication session by generating new response packets, this dynamic nature of challenges adds an extra layer of security by preventing attackers from predicting or precomputing authentication data.

Helps Prevent Replay Attacks

CHAP guards against replay attacks, which is a type of security threat where the attacker intercepts and retransmits a valid authentication message. By using this unique challenge message for every session, CHAP makes sure that previous responses are no longer effective for attackers to gain unauthorized access.

High Compatibility

CHAP is flexible in supporting different authentication methods, allowing for variations in the way credentials are verified. This adaptability makes it suitable for diverse networking environments and systems.

Good Scalability

Because it’s compatible with so many different types of systems, it can scale based on your needs. It is commonly used in remote access scenarios, such as Virtual Private Network (VPN) connections. Its robust security features make it well-suited for ensuring secure access to network resources from remote locations.

CHAP’s ability to continue authentication attempts over time makes it resilient in scenarios where network stability may be a concern.

Limitations of CHAP

Potential for Man-In-The-Middle-Attacks

CHAP, like many other authentication protocols, is susceptible to man-in-the-middle attacks. If an attacker can intercept and alter the challenge and response during the authentication process, they may be able to gain unauthorized access.

Pre-shared Key Requirements

CHAP requires a pre-shared key or password to authenticate the user. Distributing and managing pre-shared keys across a network, especially a large one, can be challenging. If the network has many users or devices, securely sharing and updating keys becomes a logistical concern. The larger the network, the more complex and error-prone this process becomes.

No Mutual Authentication

In situations for only one-way authentication is selected, authentication is only done towards the indicator. This can create issues where the target isn’t authenticated.

Additional Network Overhead

CHAP requires the exchange of multiple packets between the users and the network for each session. This additional overhead does require more resources for your network.

Unsuitable for High-Security Applications

CHAP isn’t suitable for any applications that require advanced authentication and encryption mechanisms, it provides only basic authentication and encryption features. Because of this, it makes it unsuitable for high-security applications that operating systems may be running.

Elements of a CHAP Packet

Code Field

A code field indicating the type of CHAP packet. Common values include:

  • 1: Challenge
  • 2: Response
  • 3: Success
  • 4: Failure

Identifier Field

A unique identifier that is used to associate the CHAP packet with a specific authentication process or connection. The ID helps in matching the challenge and response pairs during the authentication handshake.

Length Field

The length of the CHAP packet, including the header and payload. This field helps the recipient determine the size of the packet.

Data Field

The data field refers to the section that contains the actual payload of the packet, whether it’s a challenge or a response. The content of the data field varies depending on the type of CHAP packet

Types of CHAP packets

Challenge Packet

In a Challenge packet, the data field contains the challenge generated by the server. This challenge is a random value that the client must use, along with its secret (usually a password), to create a response. The challenge is sent from the authenticator (server) to the peer (client) to initiate the authentication process.

Response Packet

In a Response packet, the data field contains the response generated by the client in response to the challenge. The client combines the challenge received in the Challenge packet with its secret and sends the result as a response to prove its identity.

Success Packet

The Success packet typically includes relevant information confirming the success of the authentication. It signifies that the client has provided a valid response to the challenge, demonstrating that it possesses the correct secret.

Failure Packet

The Failure packet may include additional information or error codes specifying the reason for the failure. This information can help in diagnosing authentication issues.


In general, CHAP (Challenge-Handshake Authentication Protocol) is a more secure procedure for connecting to a system than PAP (Password Authentication Protocol).

The PAP and CHAP authentication schemes were initially designed for authenticating remote users connecting to networks or systems using PPP. CHAP’s three-way handshake protocol offers enhanced security against password guessing and eavesdropping attacks compared to PAP’s two-way handshake.

When authenticating with PAP, the remote user is required to provide their username and password. The authenticating system then determines whether to grant or deny access based on the provided credentials.

CHAP enhances authentication through the utilization of a more advanced protocol. It employs a three-way handshake protocol within the PPP connection between the host and the remote resource.

PAP defines a two-way handshake for a remote user to initiate remote access:

  1. The remote system sends a username and password repeatedly until a response is received from the network access server.
  2. The network access server sends an authentication acknowledgment if the credentials are authenticated. If the credentials are not authenticated, the network access server sends a negative acknowledgment.

While PAP can be used as a basic protocol for a remote user to start a network connection, CHAP offers a more secure authentication protocol.

Authentication Initiation

The authenticating system, typically a network access server or switch, sends a CHAP Challenge packet to initiate the authentication process. Once a PPP session is established, the accessed system or network may require the remote user to authenticate. The Challenge contains the host name of the authenticator.

Validation System (Three-Way vs Two-Way Handshake)

CHAP uses a 3-way handshaking protocol, different from TCP. The authenticator sends a challenge packet, and the peer responds with a value using its one-way hash function. The authenticator then compares the received value with its own calculated hash value. If they match, authentication is confirmed. If not, the connection is terminated.

Authentications per Session

CHAP verifies the identity of the client by using a three-way handshake, which occurs during the establishment of the initial link (known as LCP) and can occur again at any point. The verification is based on a shared secret, such as the client’s password.

Relationship With Shared Secrets

In CHAP, authenticating systems utilize a shared secret, which is the password, to generate a cryptographic hash using the MD5 hash generator message digest algorithm.

Let Perimeter81 Be Your CHAP Solution

The Challenge-Handshake Authentication Protocol (CHAP) stands as a proven defense of network security, providing an effective means of authentication in diverse environments. With its emphasis on mutual authentication, protection against replay attacks, and the dynamic challenge-response mechanism, CHAP has proven its worth in safeguarding sensitive information during communication between clients and servers.

As technology continues to evolve, so do the challenges in the realm of cybersecurity. While CHAP offers a solid foundation for authentication, it is crucial for organizations and individuals to explore and adopt additional layers of security. Consideration should be given to modern authentication methods that leverage advancements like multi-factor authentication, and continuous monitoring to fortify network defenses.

In this era of heightened digital connectivity, the strength of our defenses is only as strong as our commitment to staying ahead of any single attack. Perimeter81 can help ensure that your security strategies match the pace of technological advancements. Together, let us build networks that not only stand the test of time but also inspire confidence in the secure exchange of information.


What are the advantages of challenge handshake authentication protocol?
Its mutual authentication ensures both the client and server validate each other, fostering heightened security. CHAPs dynamic challenge-response mechanism safeguards against replay attacks, fortifying the authentication process.
CHAP remains resilient in scenarios with intermittent connections, making it suitable for remote access, especially in Virtual Private Network (VPN) setups. This makes it a reliable choice for secure authentication in modern networking
What is an example of a CHAP?
CHAP serves as the authentication protocol ensuring a secure login process. When the user initiates a connection, the VPN server challenges the user with a random value, the challenge. The user, possessing a secret password, responds to the challenge by encrypting it with the password, creating a unique response.

The server, aware of the user’s identity and having access to the same secret, validates the response. If the response matches the expected value, the server sends a Success packet, granting the user access to the network.
What is the difference between CHAP and PAP?
The main distinction between CHAP (Challenge-Handshake Authentication Protocol) and PAP (Password Authentication Protocol) lies in their approaches to authentication.

While both are used in Point-to-Point Protocol (PPP) connections, PAP relies on a simpler method where the client transmits its username and password to the server in plaintext, posing a security risk as sensitive information is exposed during the authentication process.

HAP enhances security by using a challenge-response mechanism, where the server sends a dynamic challenge to the client, which is then encrypted with the password and sent back for verification.
Which challenge handshake authentication protocol periodically verifies the identity of a client using a challenge?
The Challenge-Handshake Authentication Protocol (CHAP) periodically verifies the identity of a client by using a challenge. In CHAP, the server challenges the client with a random value, and the client responds by encrypting the challenge with its password.

This process occurs at regular intervals during an established connection, providing a mechanism for the server to verify that the client’s identity is still valid. The use of dynamic challenges in CHAP enhances security by preventing replay attacks and ensuring that the client’s identity is reauthenticated periodically, reducing the risk of unauthorized access.