PAP, CHAP, and MS-CHAP – CompTIA Security+ SY0-501 – 4.2

Some legacy authentication protocols are still in use today. In this video, you’ll learn about the operation of PAP, CHAP, and Microsoft’s MS-CHAP protocols.

<< Previous Video: Identity and Access Services Next: Federated Identities >>


If you need to authenticate on a Point-to-Point network, then you need the Point-to-Point Protocol, or PPP, to be able to provide authentication on an analog dial-up and ISDN and other types of Point-to-Point Networks. There are also derivatives to PPP, you may find PPTP which is Point-to-Point Tunneling Protocol. Commonly you’ll see that in Windows operating systems. And there’s PPPoE, which is to Point-to-Point Protocol over Ethernet, which is commonly used to authenticate over a DSL network.

If you need to authenticate over these non-ethernet networks, it’s very common to use PAP, CHAP, or MS-CHAP to be able to accomplish that. One of the most basic authentication methods is PAP, or Password Authentication Protocol. You would commonly see PAP used on very old operating systems or legacy systems.

And it’s very unusual to see PAP used by itself these days. That’s because PAP communicates in the clear. There’s no encryption or any additional security of the information that you’re sending using this Password Authentication Protocol.

We didn’t need encryption over the dial-up lines we were using because there was no mechanism for someone else to sit-in the middle of that conversation and grab that data. PAP used this method of communication. You would put your username and your password in at a prompt, and you would login.

The response from your client might say that your user name is James, the password is password111. And you can see that it’s all sent across the network in the clear. The PAP server contains a database that also contains my username and the password, and it checks to see if those two things match. And if they match, the client receives a message back, saying the authentication was successful, and you’ve now gained access to the network.

CHAP was created to provide additional security to this authentication process. CHAP is the Challenge Handshake Authentication Protocol, and it’s using an encrypted challenge to be able to send these credentials across the network. CHAP uses a three-way handshake to be able to authenticate. Once the client and the server initially connect, the server will send a challenge message to the client. The client combines the password with that challenge message and sends a hash back to the server.

The server then compares that hash to the information it has in the database and determines if the authentication is correct. This same challenge response may continue multiple times while these devices are connected. This all happens behind the scenes and the user never even knows it’s occurring.

Here’s the CHAP authentication. We’re going to use the same username, James, and the same password of 111. The client sends a message to the CHAP server that says, I’d like to login, but only sends username information. It says, my user name is James.

The CHAP server, obviously has the username and the password information stored in it’s local database. And it creates a very specialized challenge message that it sends back to the client. You can see the challenge message is sent across the network.

The client combines the challenge message with the password and sends a very specialized hash in response to the CHAP server. The CHAP server performs exactly the same calculation on its side, and it determines if that hash matches. And if the hash does match, then the user is allowed access to the network.

Microsoft uses a version of CHAP that they’ve customized, and they call MS-CHAP. This is something you’ll see on Microsoft’s Point-to-Point Tunneling Protocol, or PPTP. The most recent version of MS-CHAP is referred to as MS-CHAP v-2.

Unfortunately MS-CHAP and MS-CHAP v-2, suffer from vulnerabilities due to the use of the desk protocol. Instead of using MS-CHAP, many people have migrated to L2TP, IPsec, or some other type of secure VPN communication.