Challenge Handshake Authentication Protocol (CHAP)

Security+ šŸ† ā€¢ Protocols šŸ”— ā€¢ Authentication & Authorization šŸ” ā€¢ Difficulty: premium

Definition

CHAP is a PPP authentication method that proves a client knows a shared secret without sending the password. The server issues a random challenge, the client returns a hash of the challenge and secret, and the server verifies itā€”often repeating periodically to deter replay.

Examples

  • A DSL modem establishes PPPoE to an ISP: the BRAS sends a random challenge, the modem returns an MD5-based response using its stored secret, and the session is accepted.
  • A router dials a backup PPP link and authenticates with the provider via CHAP, with credentials checked by the ISPā€™s RADIUS server.

Discover šŸ”Ž

CHAP was designed for early point-to-point links (PPP over serial, ISDN, PPPoE) to avoid sending passwords in the clear. Instead of revealing the secret, the client proves knowledge of it by answering a random challenge. Because the challenge changes every time and can repeat during the session, simple replay attacks are harder. CHAP authenticates the user or device; it does not encrypt the data channelā€”separate protections are needed for confidentiality.

Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.