CHAP vs. PAP: What's more secure?

Which is most secure - CHAP or PAP?

If it's not so clear-cut, what are the trade offs?

Password authentication protocol (PAP) and challenge handshake authentication protocol (CHAP) are both used to authenticate PPP sessions and can be used with many VPNs. Basically, PAP works like a standard login procedure; the remote system authenticates itself to the using a static user name and password combination. The password can be encrypted for additional security, but PAP is subject to numerous attacks. In particular, since the information is static, it is subject to password guessing as well as snooping.

CHAP takes a more sophisticated and secure approach to authentication by creating a unique challege phrase (a randomly generated string) for each authentication. The challenge phrase is combined with device host names using oneway hashing functions to authenticate in way where no static secret information is ever transmitted over the wire. Because all transmitted information is dymanic, CHAP is significantly more robust than PAP.

Another advantage of CHAP over PAP is that CHAP can be set up to do repeated midsession authentications. This is useful for dial-up PPP sessions and other sessions where a port may be left open even though the remote device has disconnected. In this case, its possible for someone else to pick up the connection mid-session simply by establish physical connectivity.

So, definitely go with CHAP if you have choice.

Next Steps

Wireless technology techniques

VPN authentication choices

Tips for keeping Wi-Fi network passwords secure

Prevent authentication vulnerabilities in enterprise apps

This was first published in January 2003

Dig Deeper on Network Security Best Practices and Products



Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.
Related Discussions

Retired Expert - Mark Tuomenoksa asks:

In which situations have you found PAP to be the preferred protocol?

0  Responses So Far

Join the Discussion



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: