Identity Fundamentals
Identity and Access Management
Agentic AI
Key IAM Considerations to Support Agentic AI
AI Agent Classes and Use Cases
IAM Best Practices for AI Agents
Runtime Identity
B2B Identity and Access Management
Identity Providers and Service Providers
Centralized Identity Management
What is Centralized Identity Management?
How Does Centralized Identity Management Work?
Centralized Identity Standards
SAML
OAuth
OpenID Connect (OIDC)
Decentralized Identity Management
What is Decentralized Identity Management?
How Does Decentralized Identity Management Work?
How is Decentralized Identity Different?
Decentralized Identity Standards
Common Terms
Zero Trust Security
Orchestration
Authentication
Authorization
Authorization Methods
User and Account Provisioning
Single Sign-on with a Directory
Dynamic Authorization
Protocols
LDAP
SCIM
WebAuthn
Kerberos
WS-Trust
Verification
Expand All | Collapse All

What Is CHAP Authentication?

Challenge Handshake Authentication Protocol (CHAP) is a challenge-response identity authentication protocol. It depends on a combination of CHAP security credentials and a “shared secret” between the requestor (client) and the authenticator (server), and it does not expose a password. It requires both entities to prove their identity through a cryptographic exchange or a “three-way handshake”. When that is successful, authentication is complete. 

 

Ongoing authentication requests from the server to the client continue on a regular basis after the initial handshake, which means the identifiers must change with every new authentication. This is one of the reasons why CHAP is more secure than Password Authentication Protocol (PAP).

 

How It Works

Before the handshake process can begin, the client and the server must have each other’s credentials, including their shared secret, on file. Once a Point-to-Point Protocol (PPP) link is established, the client nudges the server by sending only their username (not the password) across the connection. 

 

  • At this point, the server responds to the client’s username with a CHAP challenge packet and asks the client for a shared secret. This is part one of the three-way handshake.

  • The client provides the server with a valid, encrypted answer that contains the shared secret. This is the second part of the three-way handshake.

  • If the client’s answer matches what the server expected, the server authenticates the client. This is the third and final part of the three-way handshake.  

A graphic depicts the handshake agreement between a client and a server 1 Client asks for a challenge 2 Server asks client for shared secret and credentials 3 Client answers with encrypted credentials and shared secret 4 Server authenticates client 5 Ongoing authentication occursWhat is CHAP

Below is a more detailed look at what happens at each step. 

 

Both Entities Create and Share CHAP Credentials 

As mentioned above, before a PPP link is established, the two entities must have each other’s CHAP credentials in their files. A CHAP credential consists of a CHAP username and a CHAP “secret.” A traditional password is not used or transmitted in CHAP. 

 

A Link Is Established 

With CHAP credentials in place, the initial PPP link can be activated. At this point, the client enters their username and password in the application or website. The username (not the password) is sent to the server to ask the server for a challenge packet. 

 

CHAP Authentication Begins 

SERVER: When the CHAP server receives the username from the client, it sends back a CHAP challenge packet that contains a random number and unique ID. 

 

CLIENT: When the client receives the challenge, they must send back a calculation that contains the server’s random number and unique ID along with their own CHAP security credentials, which include the shared secret.

 

SERVER: If the client’s calculation matches the server’s calculation, the client is authenticated. 

 

ONGOING AUTHENTICATION: After the initial authentication, while the client is still engaged in an online session, they’ll occasionally be re-authenticated by the server to make sure the connection remains safe and secure. Since these repeated challenges require a unique response from the client, it reduces the time of exposure to any single attack and lessens the threat of replay attacks. 

 

PAP vs. CHAP

PAP is more susceptible to cyberattacks than CHAP because it doesn’t have the built-in safeguards that CHAP has. Specifically, CHAP doesn’t transmit passwords, has an ongoing authentication mechanism, and uses an encrypted calculation to help each entity verify the identity of the other. 

 

Why CHAP Is One of the More Secure Forms of Authentication Available

One of the reasons CHAP is so secure is that it uses a challenge-response mechanism that requires the client and server to share a secret calculation before the user can be authenticated. No password is ever transferred, which reduces the likelihood of password breaches. In addition, ongoing authentication offers an extra layer of security because the client has to provide a new calculation for the server each time.

 

Start Today

Contact Sales

sales@pingidentity.com

See how Ping can help you deliver secure employee, partner, and customer experiences in a rapidly evolving digital world.