TOPIC
What is Password Authentication Protocol (PAP) and Challenge-Handshake Authentication Protocol (CHAP), and where can I find more information about them?
DISCUSSION For complete information on Password Authentication Protocol (PAP) and Challenge-Handshake Authentication Protocol (CHAP), please refer to sections 2.0 and 3.0 of RFC 1334, PPP Authentication Protocols . The complete RFC 1334 document can be down loaded from the following URL with your web browser or ftp utility: < ftp://ds.internic.net/rfc/ >. Below is a brief description of both from RFC 1334. Password Authentication Protocol The Password Authentication Protocol (PAP) provides a simple method for the peer to establish its identity using a 2-way handshake. This is done only upon initial link establishment. After the Link Establishment phase is complete, an Id/Password pair is repeatedly sent by the peer to the authenticator until authentication is acknowledged or the connection is terminated. PAP is not a strong authentication method. Passwords are sent over the circuit "in the clear", and there is no protection from playback or repeated trial and error attacks. The peer is in control of the frequency and timing of the attempts. Any implementations which include a stronger authentication method (such as CHAP, described below) MUST offer to negotiate that method prior to PAP. This authentication method is most appropriately used where a plaintext password must be available to simulate a login at a remote host. In such use, this method provides a similar level of security to the usual user login at the remote host. Challenge-Handshake Authentication Protocol The Challenge-Handshake Authentication Protocol (CHAP) is used to periodically verify the identity of the peer using a 3-way handshake. This is done upon initial link establishment, and MAY be repeated anytime after the link has been established. After the Link Establishment phase is complete, the authenticator sends a "challenge" message to the peer. The peer responds with a value calculated using a "one-way hash" function. The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise the connection SHOULD be terminated. CHAP provides protection against playback attack through the use of an incrementally changing identifier and a variable challenge value. The use of repeated challenges is intended to limit the time of exposure to any single attack. The authenticator is in control of the frequency and timing of the challenges. This authentication method depends upon a "secret" known only to the authenticator and that peer. The secret is not sent over the link. This method is most likely used where the same secret is easily accessed from both ends of the link. |
||||||
| Document Information | |
| Product Area: | Communications-Networking |
| Category: | Protocol and File Format Information |
| Sub Category: | General Topics |
| Keywords: | |
Copyright © 2000 Apple Computer, Inc. All rights reserved.