CHAP is better than PAP as its uses encrypted authentication mechanism which would protect the username and password from being sent if the destination NAS server does not support this authentication method. Basically, the actual password will not be transmitted over the network, instead when the basic PPP connection is established, the NAS server sends a challenge phrase associated with a Session ID to the remote client. Then the remote client uses a specific MD5 (message digest version 4) hash algorithm to answer the challenge string with the username and an answer to the hash challenge with its username, network ID and password. The username will still be sent in plain text though.
CHAP is definitely a better choice than PAP where the password is sent in clear-text. But in CHAP the password is mixed up in hash form as an answer to the challenge string sent by the NAS server. Once the answer to the hash challenge is received the NAS server which already know the password, authenticates the user immediately. CHAP keeping sending challenges for the user to reply and verify its identity several times during the connection making it a more secure connection from any intrusion. The advantage CHAP carries over PAP is the way a user is authenticated over a dial-up or direct PPP connection.
Posted by: Wasim Javed
No comments:
Post a Comment