One of the methods that can be used protect information when using remote access to a resource is the Challenge Handshake Authentication Protocol (CHAP) CHAP is a remote access authentication protocol used in conjunction with Point-to-Point Protocol (PPP) to provide security and authentication to users of remote resources.PPP replaced the older Serial Line Internet Protocol (SLIP). PPP not only allows for more security than SLIP, but also does not require static addressing to be defined for communication. PPP allows users to use dynamic addressing and multiple protocols during communication with a remote host. CHAP is described in RFC 1994, available at www.cis.ohio-state.edu/ cgi-bin/rfc/rfc1994.html.The RFC describes a process of authentication that works in the following manner:
CHAP is used to periodically verify the identity of the peer using a three- way handshake.This is done upon initial link establishment, and may be repeated anytime after the link has been established.
After the link establishment phase is complete, the authenticator sends a “challenge” message to the peer.
The peer responds with a value calculated using a “one-way hash” function.
The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise the connection should be terminated.
At random intervals, the authenticator sends a new challenge to the peer, and repeats steps one through three.
CHAP operates in conjunction with PPP to provide protection of the credentials presented for authentication and to verify connection to a valid resource. It does not operate with encrypted password databases, and therefore is not as strong a protection as other levels of authentication.The shared secrets may be stored on both ends as a cleartext item, making the secret vulnerable to compromise or detection. CHAP may also be configured to store a password using one- way reversible encryption, which uses the one-way hash noted earlier.This provides protection to the password, because the hash must match the client wishing to authenticate with the server that has stored the password with the hash value. CHAP is better than Password Authentication Protocol (PAP), however, since PAP sends passwords across the network in cleartext.
Published on Fri 02 January 2009 by Anthony Norton in Security with tag(s): chap