4.3 PPP Authentication
4.3.2 CHAP
CHAP is used to periodically verify the identity of the remote node, using a three-way handshake, as shown in the Figure. This is done upon initial link establishment and can be repeated any time after the link has been established. CHAP offers features such as periodic verification to improve security; this makes CHAP more effective than PAP. PAP verifies only once, which makes it vulnerable to hacks and modem playback. Further, PAP allows the caller to attempt authentication at will (without first receiving a challenge), which makes it vulnerable to brute-force attacks, whereas CHAP does not allow a caller to attempt authentication without a challenge.

After the PPP link establishment phase is complete, the host sends a challenge message to the remote node. The remote node responds with a value. The host checks the response against its own value. If the values match, the authentication is acknowledged. Otherwise, the connection is terminated.

CHAP provides protection against playback attacks through the use of a variable challenge value that is unique and unpredictable. The use of repeated challenges is intended to limit the time of exposure to any single attack. The local router (or a third-party authentication server, such as Netscape Commerce Server) is in control of the frequency and timing of the challenges.