Challenge Handshake Authentication Protocol (CHAP)
Challenge Handshake Authentication Protocol (CHAP) is a Point-to-point protocol (PPP) authentication protocol developed by IETF (Internet Engineering Task Force). It is used at the initial startup of the link. Also, it performs periodic checkups to check if the router is still communicating with the same host.
- It uses 3-way handshaking protocol (not like TCP). First, the authenticator sends a challenge packet to the peer then, the peer responds with a value using its one way hash function. The authenticator then matches the received value with its own calculated hash value. If the values match then the authentication is acknowledged otherwise, the connection will be terminated.
- It uses one-way hash function called MD5.
- It also authenticates periodically to check if the communication is taking place with the same device or not.
- Also, it provides more security than PAP (Password Authentication Procedure) as the value used (find out by hash function) is changed variably.
- CHAP requires to know the plaintext of the secret as it is never sent over the network.
CHAP packets :
There are 4 types of CHAP packets –
- Challenge packet : It is a packet sent, by the authenticator to peer, at the starting of the CHAP 3-way Handshake. Challenge packet is also sent periodically to check if the connection is not altered. It contains Identifier value, value field which contains random value and also contains name field which contains name of the authenticator. The name field is used for password look up. The name field is also fed to MD5 hash generator and a one-way hash value is generated.
- Response Packet : It is used to response to the challenge packet. It contains the Value field which contains one-way hash value generated, identifier value and the name field. The Name field of the Response packet is set to the hostname of the peer router. Now, the Name field of Challenge packet is looked up for the password. The router looks up for an entry that matches the username in the Name field of the Challenge packet and gets the password. Then, this password is hashed by feeding it to MD5 hash generator and one way hash value is generated. This value is inserted into the value field of response packet and sent to the authenticator.
- Success packet : Now, the authenticator also performs the same thing by looking up in name field (if it has an entry for that username) of the response packet and by using that it generates a hash value. If the value generated is same as that of peer then the success packet is send.
- Failure packet : If the generated value is different then the failure packet is send to the peer.
- Strong authentication: CHAP provides strong authentication by challenging the user with a randomly generated challenge string that changes with each session, ensuring that the user’s password or secret key is not transmitted over the network.
- Secure: CHAP is a secure authentication protocol as it uses a one-way hash function to encrypt the challenge string and the password, making it difficult for attackers to intercept and decrypt the user’s credentials.
- Prevents replay attacks: CHAP prevents replay attacks by including a sequence number in the challenge string, ensuring that the same challenge cannot be used twice.
- Compatibility: CHAP is compatible with a wide range of network protocols and operating systems, making it easy to implement and use in various network environments.
- Scalability: CHAP is a scalable authentication protocol, as it can handle a large number of users and devices in the network.
- Vulnerable to man-in-the-middle attacks: CHAP is vulnerable to man-in-the-middle attacks, where an attacker can intercept the challenge and response packets and use them to authenticate themselves to the network.
- Requires a pre-shared key: CHAP requires a pre-shared key or password to authenticate the user, which can be difficult to manage in large-scale network environments.
- No mutual authentication: CHAP does not provide mutual authentication, which means that the network cannot authenticate the user in the same way that the user authenticates the network. This can leave the network vulnerable to spoofing attacks.
- Overhead: CHAP introduces additional overhead in the network, as it requires the exchange of multiple packets between the user and the network for each session.
- Not suitable for high-security applications: CHAP is not suitable for high-security applications that require advanced authentication and encryption mechanisms, as it provides only basic authentication and encryption features.
There is a small topology with 2-routers, namely Router1 and Router2. Router1 having IP address 10.1.1.1/30 on s0/0 and Router2 have IP address 10.1.1.2/30 on s0/0. Remember, by default HDLC is configured on Cisco routers therefore, first change the encapsulation to PPP.
Configure R1 :
Router1(config)# int s0/0 Router1(config-if)# encapsulation ppp
Configure R2 :
Router2(config)# int s0/0 Router2(config-if)# encapsulation ppp
Change hostname of both routers.
Router1(config)# hostname R1 Router2(config)# hostname R2
Provide username and password one by one.
R1(config)# username R2 password GeeksforGeeks
R2(config)# username R1 password GeeksforGeeks
Notice that username and password are case-sensitive. Also, on router R1, we have to give username of other router i.e R2 and vice-versa.
Please Login to comment...