Appendix D:
A
uthentication in CHAP,
MS-CHAP, and MS-
CHAP v2
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2002 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, BizTalk, PowerPoint, Visio,
and Windows Media
are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Appendix D: Authentication in CHAP, MS-CHAP, and MS-CHAP v2 1
CHAP
Challenge Handshake Authentication Protocol (CHAP) authentication is an
exchange of three messages:
1. The remote access server sends a CHAP Challenge message containing a
session ID and an arbitrary challenge string.
2. The remote access client returns a CHAP Response message containing the
user name in plain text and a hash of the challenge string, session ID, and
the client's password using the MD5 one-way hashing algorithm.
3. The remote access server duplicates the hash and compares it to the hash in
the CHAP Response. If the hashes are the same, the remote access server
sends back a CHAP Success message. If the hashes are different, a CHAP
Failure message is sent.
MS-CHAP
MS-CHAP authentication is an exchange of three messages:
1. The remote access server sends an MS-CHAP Challenge message
containing a session ID and an arbitrary challenge string.
2. The remote access client returns an MS-CHAP Response message
containing the user name in plain text and a hash of the challenge string,
session ID, and the MD4 hash of the client's password using the MD4
one-way hashing algorithm.
3. The remote access server duplicates the hash and compares it to the hash in
the MS-CHAP Response. If the hashes are the same, the remote access
server sends back an MS-CHAP Success message. If the hashes are
different, an MS-CHAP Failure message is sent.
2 Appendix D: Authentication in CHAP, MS-CHAP, and MS-CHAP v2
MS-CHAP v2
MS-CHAP v2 authentication is an exchange of four steps:
1. The remote access server sends an MS-CHAP v2 Challenge message to the
remote access client that consists of a session identifier and an arbitrary
challenge string.
2. The remote access client sends an MS-CHAP v2 Response message that
contains:
• The user name.
• An arbitrary peer challenge string.
• A Secure Hash Algorithm (SHA) hash of the received challenge string,
the peer challenge string, the session identifier, and the MD4-hashed
version of the user's password.
3. The remote access server checks the MS-CHAP v2 Response message from
the client and sends back an MS-CHAP v2 Response message that contains:
• An indication of the success or failure of the connection attempt.
• An authenticated response based on the sent challenge string, the peer
challenge string, the client's encrypted response, and the user's password.
4. The remote access client verifies the authentication response and, if it is
correct, uses the connection. If the authentication response is not correct, the
remote access client terminates the connection.