Challenge Handshake Authentication Protocol, or
CHAP, is one of two authentication protocols supported by
PPP. Similar to
PAP, CHAP is works with
Link Control Protocol to authenticate a
connection after the
link establishment phase. Unlike its
counterpart, however, CHAP constantly rechecks the validity of the connecting
host to protect against unauthorized access.
CHAP packets use a
challenge system, meaning that authenticators transmit a challenge
packet continuously until the connecting system responds with a packet containing a
response. If this message contains a correct value, calculated using a
hash function, the authenticator sends back a
success packet. If not, the connection fails.
A CHAP packet
header consists of 40
bits, composed of the following fields:
Code: The code field determines the function of the CHAP packet. Possible values are as follows:
1 - Challenge
2 - Response
3 - Success
4 - Failure
Identifier: The identifier field contains the actual information that determines whether or not a host will authorize the connection and allow it to take place.
Length: The length field is the total size of the packet, including the data field that follows the CHAP header.
The CHAP specification is fully defined in
RFC 1994.