CHAP is used to periodically verify the
identity of the remote node, using a three-way handshake, as shown in
the Figure. This is done upon
initial link establishment and can be repeated any time after the link
has been established. CHAP offers features such as periodic
verification to improve security; this makes CHAP more effective than
PAP. PAP verifies only once, which makes it vulnerable to hacks and
modem playback. Further, PAP allows the caller to attempt
authentication at will (without first receiving a challenge), which
makes it vulnerable to brute-force attacks, whereas CHAP does not
allow a caller to attempt authentication without a challenge.
After the PPP link establishment phase
is complete, the host sends a challenge message to the remote node.
The remote node responds with a value. The host checks the response
against its own value. If the values match, the authentication is
acknowledged. Otherwise, the connection is terminated.
CHAP provides protection against
playback attacks through the use of a variable challenge value that is
unique and unpredictable. The use of repeated challenges is intended
to limit the time of exposure to any single attack. The local router
(or a third-party authentication server, such as Netscape Commerce
Server) is in control of the frequency and timing of the challenges.
|