The Challenge-Handshake Authentication Protocol (CHAP) is used to
periodically verify the identity of the peer using a 3-way handshake.
This is done upon initial link establishment, and MAY be repeated
anytime after the link has been established.
After the Link Establishment phase is complete, the authenticator
sends a "challenge" message to the peer. The peer responds with a
value calculated using a "one-way hash" function. The authenticator
checks the response against its own calculation of the expected hash
value. If the values match, the authentication is acknowledged;
otherwise the connection SHOULD be terminated.
CHAP provides protection against playback attack through the use of
an incrementally changing identifier and a variable challenge value.
The use of repeated challenges is intended to limit the time of
exposure to any single attack. The authenticator is in control of
the frequency and timing of the challenges.
This authentication method depends upon a "secret" known only to the
authenticator and that peer. The secret is not sent over the link.
This method is most likely used where the same secret is easily
accessed from both ends of the link.
Implementation Note: CHAP requires that the secret be available in
plaintext form. To avoid sending the secret over other links in
the network, it is recommended that the challenge and response
values be examined at a central server, rather than each network
access server. Otherwise, the secret SHOULD be sent to such
servers in a reversably encrypted form.
The CHAP algorithm requires that the length of the secret MUST be at
least 1 octet. The secret SHOULD be at least as large and
unguessable as a well-chosen password. It is preferred that the
secret be at least the length of the hash value for the hashing
algorithm chosen (16 octets for MD5). This is to ensure a
sufficiently large range for the secret to provide protection against
exhaustive search attacks.
The one-way hash algorithm is chosen such that it is computationally
infeasible to determine the secret from the known challenge and
response values.
The challenge value SHOULD satisfy two criteria: uniqueness and
unpredictability. Each challenge value SHOULD be unique, since
repetition of a challenge value in conjunction with the same secret
would permit an attacker to reply with a previously intercepted
response. Since it is expected that the same secret MAY be used to
authenticate with servers in disparate geographic regions, the
challenge SHOULD exhibit global and temporal uniqueness. Each
challenge value SHOULD also be unpredictable, least an attacker trick
a peer into responding to a predicted future challenge, and then use
the response to masquerade as that peer to an authenticator.
Although protocols such as CHAP are incapable of protecting against
realtime active wiretapping attacks, generation of unique
unpredictable challenges can protect against a wide range of active
attacks.
A discussion of sources of uniqueness and probability of divergence
is included in the Magic-Number Configuration Option [1].
