What is CHAP and How Does it Work?

“One of the few authentication protocols that do not send a shared secret between the user or the access-requesting party and the authenticator is the Challenge-Handshake Authentication (CHAP). It is a Point-to-Point Protocol (PPP) developed by the Internet Engineering Task Force, IETF. Notably, it comes in handy during initial link startup and periodic checkups of communication between the router and the host.

Therefore, CHAP is an identity verification protocol that works without sending a shared secret or mutual secret between the user (access-requesting party) and the authenticator (identity-verifying party).

While it is still based on a shared secret, the authenticator sends a challenge message to the user requesting access and not a shared secret. The access-requesting party will respond with a value usually calculated using the one-way hash value. The identity-verifying party will check the response based on its calculation.

Authentication will only be successful if the values match. However, the authentication process will fail if the access requesting party sends a value different from that of the authenticator. And even after successful connection authentication, the authenticator may send a challenge to the user from time to time to maintain security by limiting the time of exposure for possible attacks.”

How CHAP Works

CHAP works in the following steps:

1. A client establishes a PPP link to a NAS (Network Access Server) requesting authentication.

2. The sender sends a challenge to the access-requesting party.

3. The access-requesting party responds to the challenge using the MD5 one-way hash algorithm. In the response, the client will send a username, alongside encryption of the challenge, the client password, and the session ID.

4. The server (authenticator) will check the response by comparing it with the expected hash value based on its challenge.

5. The server initiates a connection if the values match. However, it will terminate the connection if the values do not match. Even upon connection, the server can still request the client to send a response to new challenge messages since CHAP identifies change frequently.

Top 5 Characteristics of CHAP

CHAP has an array of features that make it different from other protocols. The features include:

    • Unlike TCP, CHAP uses a 3-way handshaking protocol. The authenticator sends a challenge to the client, and the client responds using a one-way hash function. The authenticator matches the response based on its calculated value and finally grants or denies access.
    • The client uses an MD5 one-way hash function.
    • The server checks the connection from time to time and sends challenges to the user to guarantee security and minimize attacks during sessions.
    • CHAP often asks for a plaintext of the mutual secret.
    • The variables change continuously, giving networks more security than PAP.

The 4 Different CHAP Packets

CHAP authentication uses the following packets:

    • Challenge Packet- This is the packet that the authenticator sends to the client or the access-requesting party once the client creates a PPP link. This packet begins at the beginning of the 3-way handshaking protocol. It contains an identifier value, a field for the random value, and a field for the authenticator’s name.
    • Response Packet- This is the response the access-requesting party sends back to the authenticator. It has a Value field containing the one-way hash value generated, a name field, and an identifier value. The client machine will automatically set the name field of the packet to the password.
    • Success Packet- The server will send a success packet if the user’s hash response matches the values calculated by the server. Once a server sends a success packet, the system will establish a connection.
    • Failure Packet– The server sends a failure packet should the generated value differ. This also implies that there will be no connection.

Configuring CHAP on Authenticating and User Machines

The following steps are necessary when configuring CHAP:

a. Initiate the commands below on both the server/authenticating and user machines. Usually, these will always be peer machines.

b. Change the hostnames of both machines using the below command. Type in the command in each of the peer machines.

c. Finally, provide a username and password for each machine using the below command.


Notably, the developers of CHAP developed CHAP designed this protocol to protect systems against playback attacks by ensuring that the access-requesting party uses an incrementally changing variable and identifier. Besides, the authenticator controls the timing and frequency of sending challenges to a user or an access-requesting party.

About the author

Kennedy Brian

Brian is a computer scientist with a bias for software development, programming, and technical content development. He has been in the profession since 2015. He reads novels, jogs, or plays table tennis whenever not on gadgets. He is an expert in Python, SQL, Java, and data and network security.