Problem solve Get help with specific problems with your technologies, process and projects.

CHAP vs. PAP: What's more secure?

Which is most secure - CHAP or PAP?

If it's not so clear-cut, what are the trade offs?

Password authentication protocol (PAP) and challenge handshake authentication protocol (CHAP) are both used to authenticate PPP sessions and can be used with many VPNs. Basically, PAP works like a standard login procedure; the remote system authenticates itself to the using a static user name and password combination. The password can be encrypted for additional security, but PAP is subject to numerous attacks. In particular, since the information is static, it is subject to password guessing as well as snooping.

CHAP takes a more sophisticated and secure approach to authentication by creating a unique challege phrase (a randomly generated string) for each authentication. The challenge phrase is combined with device host names using oneway hashing functions to authenticate in way where no static secret information is ever transmitted over the wire. Because all transmitted information is dymanic, CHAP is significantly more robust than PAP.

Another advantage of CHAP over PAP is that CHAP can be set up to do repeated midsession authentications. This is useful for dial-up PPP sessions and other sessions where a port may be left open even though the remote device has disconnected. In this case, its possible for someone else to pick up the connection mid-session simply by establish physical connectivity.

So, definitely go with CHAP if you have choice.

Next Steps

Wireless technology techniques

VPN authentication choices

Tips for keeping Wi-Fi network passwords secure

Prevent authentication vulnerabilities in enterprise apps

This was last published in January 2003

Dig Deeper on Network Security Best Practices and Products