Which is most secure - CHAP or PAP?
If it's not so clear-cut, what are the trade offs?
Password authentication protocol (PAP) and challenge handshake authentication protocol (CHAP) are both used to authenticate PPP sessions and can be used with many VPNs. Basically, PAP works like a standard login procedure; the remote system authenticates itself to the using a static user name and password combination. The password can be encrypted for additional security, but PAP is subject to numerous attacks. In particular, since the information is static, it is subject to password guessing as well as snooping.
CHAP takes a more sophisticated and secure approach to authentication by creating a unique challege phrase (a randomly generated string) for each authentication. The challenge phrase is combined with device host names using oneway hashing functions to authenticate in way where no static secret information is ever transmitted over the wire. Because all transmitted information is dymanic, CHAP is significantly more robust than PAP.
Another advantage of CHAP over PAP is that CHAP can be set up to do repeated midsession authentications. This is useful for dial-up PPP sessions and other sessions where a port may be left open even though the remote device has disconnected. In this case, its possible for someone else to pick up the connection mid-session simply by establish physical connectivity.
So, definitely go with CHAP if you have choice.
Dig deeper on Network Security Best Practices and Products
Related Q&A from Retired Expert - Mark Tuomenoksa
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.