WARNING: This site is intended for online use only; mass-downloading of pages degrades the server and is prohibited.
If you attempt to use tools to mass-download the site, you may be blocked permanently by automated software.
If you want to read this CertiGuide offline, please use one of the links on the left to purchase a convenient PDF copy. Thank you.

Get this Security+ CertiGuide for your own computer.
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Google
Web CertiGuide






Table Of Contents  CertiGuide to Security+
 9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)
      9  1.2  Authentication

Previous Topic/Section
1.2.1  Kerberos
Previous Page
Pages in Current Topic/Section
1
Next Page
 1.2.3  Certificates
Next Topic/Section

1.2.2  Challenge Handshake Authentication Protocol (CHAP)

The Challenge Handshake Authentication Protocol, described by RFC 1994, authenticates a user by way of a “three way handshake”. First, the server sends the client a challenge message. (i.e., the server “challenges” the client.) Second, the client uses the message that is sent, along with the ID and the secret (the user’s password), to create a special code value called a hash, typically using MD5, and sends the hash back to the server. (i.e., the client responds with the other half of the “challenge handshake”.) Third, the server performs the same hashing function. In theory, the MD5 hash values will be equal, which gives authentication. This is repeated at random intervals during the session. By changing the ID value with each session, a replay attack is not possible. See 4.1.1 for explanations of hashing and MD5.

CHAP is most often used for PPP authentication. Firms such as Cisco and Microsoft have produced variations on the basic CHAP model, such as Microsoft’s MS-CHAP, with extensions specific to the Windows NT environment.

[spacer]CHAP Issues

Although like Kerberos, CHAP avoids sending the password over the wire, it still has security issues. In particular, the challenge/response mechanism is only as strong as the secret used to calculate the response. This means that users still need to choose good passwords – for example, not words that appear in any dictionary. Also, the protocol itself contains some weaknesses, including information disclosure, as documented in the paper, “Cheating CHAP.”58


CHAP 3-Way Handshake

CHAP uses a 3-way handshake in which the server sends the client a “challenge” message, the client responds with a message encrypted into an MD5 hash using its password, and the server verifies that the message was encrypted with the right password by encrypting the same message with its version of the user’s password and making sure both messages’ hash codes match.

CHAP protects against session hijacking by performing this handshake at random times during a session.


Figure 5: CHAP can re-challenge at random times.

 

 __________________

58. Krahmer, Sebastian, “Cheating CHAP”, http://packetstormsecurity.nl/groups/teso/chap.pdf, February 2002.

Previous Topic/Section
1.2.1  Kerberos
Previous Page
Pages in Current Topic/Section
1
Next Page
 1.2.3  Certificates
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $


Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.