34,333
edits
Changes
→Challenge Handshake Authentication Protocol (CHAP)
== Challenge Handshake Authentication Protocol (CHAP) ==
Approaches to authentication such username and password outline outlined previously perform authentication only once , at the point that the user logs into the system. An alternative to this approach is provided by the Challenge Handshake Authentication Protocol (CHAP) which repeats an authentication procedure at random intervals during an ongoing connection between a client and a service.
The CHAP authentication scheme is used primarily by Point to Point Protocol (PPP) servers as a way to validate the identity of remote clients (perhaps most commonly used by internet service providers). At random time intervals, CHAP verifies the identity of the client by using something known as a three-way handshake. This verification is performed using a credential which is nown known to both the client and the service (typically the user's password).
After the link between the client and the server (also known as the ''authenticator'') has been established it sends a ''challenge'' message to the peer. The peer subsequently responds to the authenticator with a hashed value calculated using the Message Digest (MD%MD5) hashing algorithm. The authenticator checks the client response against its own calculation of the expected hash value. If the two values match, the authenticator acknowledges the authentication. If the values do not match, the connect is terminated. These steps are repeated at random intervals.
It is important to note that Microsoft has also implemented two variants of the Challenge Handshake Authentication Protocol, called MS-CHAP and MS-CHAP-v2.
== Kerberos Authentication ==