Security Encyclopedia

Challenge Handshake Authentication Protocol (CHAP)

The Challenge-Handshake Authentication Protocol (CHAP) is an identity checking protocol that periodically re-authenticates the user during an online session. Properly implemented CHAP is replay attack resistant, and far more secure than the Password Authentication Protocol (PAP).

CHAP does not rely on transmitting mutual secrets between the service and the party requesting access. It depends on the establishment of a shared secret however to access a service, the person requesting access and the service conduct a cryptographic exchange, or “handshake”. Subsequent challenges are then sent from the service to the already-connected party allowing them to be re-authenticated during the same session. Successive challenges are also incrementally different from prior ones, rendering replay attacks infeasible.


“Replay attacks haven’t been an issue lately. Our Point-to-Point Protocol (PPP) servers are using CHAP intermittently so hackers are are unable to mimic legitimate requests.”