MS-CHAP Microsoft Challenge Handshake Authentication Protocol

To view other topics related to Computer. Click Here.

MS-CHAP v2 or Microsoft Challenge Handshake Authentication Protocol Version 2

The newer version of MS-CHAP was introduced some after the older one giving it a name MS-CHAP V2. The encryption authentication mechanism was updated with much stronger security specifically when the username and password can now be exchanged along with determination of encryption keys. Initially the NAS server attempts to send the session ID and challenge to the remote client. The remote client uses the hash algorithm to reply back to NAS server's challenge string along with the supported encryption type, the session ID, its own peer challenge and the user password. In next step, the NAS server verifies client's information and responds with the another ID specifying the reason if this connection was a success or failure based upon the information like the negotiated encryption type, Peer challenge response, and decision on the NAS server challenge (the password client has provided).

The remote client verifies this information with the one it sent before and connects to the NAS server. If for some reason the authentication response was not correct, the remote client will terminate the connection. Therefore, it's a behavior where the both client and server authenticate each other mutually. Also, there are two type of encryption keys used, one of sending the data and the other one receiving the data.

MS-CHAP or Microsoft Challenge-Handshake Authentication Protocol

MSCHAP is an encrypted authentication mechanism which works very similar to CHAP. We have seen in CHAP, where a NAS server sends a challenge to the client consisting of a Session ID and a hash challenge string. The remote client then, returns back the challenge with the session ID and MD4 based hashed answer. The introduction of MD4 gave an extra level of security where the clear-text was replaced with the hash passwords. MS-CHAP gave more attributes to the secure transmission of password over the wire by adding more error code aware attributes like, password expired code, next level of encryption between client and server allowing user to change there password while connected to the NAS server or during authentication process. The additional encryption between client and server is supported by using an encryption key to support data encryption by MPPE (Microsoft Point to Point Encryption).

CHAP or Challenge-Handshake Authentication Protocol

CHAP is better than PAP as its uses encrypted authentication mechanism which would protect the username and password from being sent if the destination NAS server does not support this authentication method. Basically, the actual password will not be transmitted over the network, instead when the basic PPP connection is established, the NAS server sends a challenge phrase associated with a Session ID to the remote client. Then the remote client uses a specific MD5 (message digest version 4) hash algorithm to answer the challenge string with the username and an answer to the hash challenge with its username, network ID and password. The username will still be sent in plain text though.

CHAP is definitely a better choice than PAP where the password is sent in clear-text. But in CHAP the password is mixed up in hash form as an answer to the challenge string sent by the NAS server. Once the answer to the hash challenge is received the NAS server which already know the password, authenticates the user immediately. CHAP keeping sending challenges for the user to reply and verify its identity several times during the connection making it a more secure connection from any intrusion. The advantage CHAP carries over PAP is the way a user is authenticated over a dial-up or direct PPP connection.