7 Network Working Group W. Simpson
8 Request for Comments: 1994 DayDreamer
9 Obsoletes: 1334 August 1996
10 Category: Standards Track
13 PPP Challenge Handshake Authentication Protocol (CHAP)
18 This document specifies an Internet standards track protocol for the
19 Internet community, and requests discussion and suggestions for
20 improvements. Please refer to the current edition of the "Internet
21 Official Protocol Standards" (STD 1) for the standardization state
22 and status of this protocol. Distribution of this memo is unlimited.
26 The Point-to-Point Protocol (PPP) [1] provides a standard method for
27 transporting multi-protocol datagrams over point-to-point links.
29 PPP also defines an extensible Link Control Protocol, which allows
30 negotiation of an Authentication Protocol for authenticating its peer
31 before allowing Network Layer protocols to transmit over the link.
33 This document defines a method for Authentication using PPP, which
34 uses a random Challenge, with a cryptographically hashed Response
35 which depends upon the Challenge and a secret key.
39 1. Introduction .......................................... 1
40 1.1 Specification of Requirements ................... 1
41 1.2 Terminology ..................................... 2
42 2. Challenge-Handshake Authentication Protocol ........... 2
43 2.1 Advantages ...................................... 3
44 2.2 Disadvantages ................................... 3
45 2.3 Design Requirements ............................. 4
46 3. Configuration Option Format ........................... 5
47 4. Packet Format ......................................... 6
48 4.1 Challenge and Response .......................... 7
49 4.2 Success and Failure ............................. 9
50 SECURITY CONSIDERATIONS ...................................... 10
51 ACKNOWLEDGEMENTS ............................................. 11
52 REFERENCES ................................................... 12
53 CONTACTS ..................................................... 12
60 RFC 1994 PPP CHAP August 1996
65 In order to establish communications over a point-to-point link, each
66 end of the PPP link must first send LCP packets to configure the data
67 link during Link Establishment phase. After the link has been
68 established, PPP provides for an optional Authentication phase before
69 proceeding to the Network-Layer Protocol phase.
71 By default, authentication is not mandatory. If authentication of
72 the link is desired, an implementation MUST specify the
73 Authentication-Protocol Configuration Option during Link
76 These authentication protocols are intended for use primarily by
77 hosts and routers that connect to a PPP network server via switched
78 circuits or dial-up lines, but might be applied to dedicated links as
79 well. The server can use the identification of the connecting host
80 or router in the selection of options for network layer negotiations.
82 This document defines a PPP authentication protocol. The Link
83 Establishment and Authentication phases, and the Authentication-
84 Protocol Configuration Option, are defined in The Point-to-Point
88 1.1. Specification of Requirements
90 In this document, several words are used to signify the requirements
91 of the specification. These words are often capitalized.
93 MUST This word, or the adjective "required", means that the
94 definition is an absolute requirement of the specification.
96 MUST NOT This phrase means that the definition is an absolute
97 prohibition of the specification.
99 SHOULD This word, or the adjective "recommended", means that there
100 may exist valid reasons in particular circumstances to
101 ignore this item, but the full implications must be
102 understood and carefully weighed before choosing a
105 MAY This word, or the adjective "optional", means that this
106 item is one of an allowed set of alternatives. An
107 implementation which does not include this option MUST be
108 prepared to interoperate with another implementation which
109 does include the option.
116 RFC 1994 PPP CHAP August 1996
121 This document frequently uses the following terms:
124 The end of the link requiring the authentication. The
125 authenticator specifies the authentication protocol to be
126 used in the Configure-Request during Link Establishment
129 peer The other end of the point-to-point link; the end which is
130 being authenticated by the authenticator.
133 This means the implementation discards the packet without
134 further processing. The implementation SHOULD provide the
135 capability of logging the error, including the contents of
136 the silently discarded packet, and SHOULD record the event
137 in a statistics counter.
142 2. Challenge-Handshake Authentication Protocol
144 The Challenge-Handshake Authentication Protocol (CHAP) is used to
145 periodically verify the identity of the peer using a 3-way handshake.
146 This is done upon initial link establishment, and MAY be repeated
147 anytime after the link has been established.
149 1. After the Link Establishment phase is complete, the
150 authenticator sends a "challenge" message to the peer.
152 2. The peer responds with a value calculated using a "one-way
155 3. The authenticator checks the response against its own
156 calculation of the expected hash value. If the values match,
157 the authentication is acknowledged; otherwise the connection
158 SHOULD be terminated.
160 4. At random intervals, the authenticator sends a new challenge to
161 the peer, and repeats steps 1 to 3.
172 RFC 1994 PPP CHAP August 1996
177 CHAP provides protection against playback attack by the peer through
178 the use of an incrementally changing identifier and a variable
179 challenge value. The use of repeated challenges is intended to limit
180 the time of exposure to any single attack. The authenticator is in
181 control of the frequency and timing of the challenges.
183 This authentication method depends upon a "secret" known only to the
184 authenticator and that peer. The secret is not sent over the link.
186 Although the authentication is only one-way, by negotiating CHAP in
187 both directions the same secret set may easily be used for mutual
190 Since CHAP may be used to authenticate many different systems, name
191 fields may be used as an index to locate the proper secret in a large
192 table of secrets. This also makes it possible to support more than
193 one name/secret pair per system, and to change the secret in use at
194 any time during the session.
199 CHAP requires that the secret be available in plaintext form.
200 Irreversably encrypted password databases commonly available cannot
203 It is not as useful for large installations, since every possible
204 secret is maintained at both ends of the link.
206 Implementation Note: To avoid sending the secret over other links
207 in the network, it is recommended that the challenge and response
208 values be examined at a central server, rather than each network
209 access server. Otherwise, the secret SHOULD be sent to such
210 servers in a reversably encrypted form. Either case requires a
211 trusted relationship, which is outside the scope of this
228 RFC 1994 PPP CHAP August 1996
231 2.3. Design Requirements
233 The CHAP algorithm requires that the length of the secret MUST be at
234 least 1 octet. The secret SHOULD be at least as large and
235 unguessable as a well-chosen password. It is preferred that the
236 secret be at least the length of the hash value for the hashing
237 algorithm chosen (16 octets for MD5). This is to ensure a
238 sufficiently large range for the secret to provide protection against
239 exhaustive search attacks.
241 The one-way hash algorithm is chosen such that it is computationally
242 infeasible to determine the secret from the known challenge and
245 Each challenge value SHOULD be unique, since repetition of a
246 challenge value in conjunction with the same secret would permit an
247 attacker to reply with a previously intercepted response. Since it
248 is expected that the same secret MAY be used to authenticate with
249 servers in disparate geographic regions, the challenge SHOULD exhibit
250 global and temporal uniqueness.
252 Each challenge value SHOULD also be unpredictable, least an attacker
253 trick a peer into responding to a predicted future challenge, and
254 then use the response to masquerade as that peer to an authenticator.
256 Although protocols such as CHAP are incapable of protecting against
257 realtime active wiretapping attacks, generation of unique
258 unpredictable challenges can protect against a wide range of active
261 A discussion of sources of uniqueness and probability of divergence
262 is included in the Magic-Number Configuration Option [1].
284 RFC 1994 PPP CHAP August 1996
287 3. Configuration Option Format
289 A summary of the Authentication-Protocol Configuration Option format
290 to negotiate the Challenge-Handshake Authentication Protocol is shown
291 below. The fields are transmitted from left to right.
293 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
294 | Type | Length | Authentication-Protocol |
295 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
307 Authentication-Protocol
309 c223 (hex) for Challenge-Handshake Authentication Protocol.
313 The Algorithm field is one octet and indicates the authentication
314 method to be used. Up-to-date values are specified in the most
315 recent "Assigned Numbers" [2]. One value is required to be
340 RFC 1994 PPP CHAP August 1996
345 Exactly one Challenge-Handshake Authentication Protocol packet is
346 encapsulated in the Information field of a PPP Data Link Layer frame
347 where the protocol field indicates type hex c223 (Challenge-Handshake
348 Authentication Protocol). A summary of the CHAP packet format is
349 shown below. The fields are transmitted from left to right.
351 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
352 | Code | Identifier | Length |
353 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
359 The Code field is one octet and identifies the type of CHAP
360 packet. CHAP Codes are assigned as follows:
369 The Identifier field is one octet and aids in matching challenges,
370 responses and replies.
374 The Length field is two octets and indicates the length of the
375 CHAP packet including the Code, Identifier, Length and Data
376 fields. Octets outside the range of the Length field should be
377 treated as Data Link Layer padding and should be ignored on
382 The Data field is zero or more octets. The format of the Data
383 field is determined by the Code field.
396 RFC 1994 PPP CHAP August 1996
399 4.1. Challenge and Response
403 The Challenge packet is used to begin the Challenge-Handshake
404 Authentication Protocol. The authenticator MUST transmit a CHAP
405 packet with the Code field set to 1 (Challenge). Additional
406 Challenge packets MUST be sent until a valid Response packet is
407 received, or an optional retry counter expires.
409 A Challenge packet MAY also be transmitted at any time during the
410 Network-Layer Protocol phase to ensure that the connection has not
413 The peer SHOULD expect Challenge packets during the Authentication
414 phase and the Network-Layer Protocol phase. Whenever a Challenge
415 packet is received, the peer MUST transmit a CHAP packet with the
416 Code field set to 2 (Response).
418 Whenever a Response packet is received, the authenticator compares
419 the Response Value with its own calculation of the expected value.
420 Based on this comparison, the authenticator MUST send a Success or
421 Failure packet (described below).
423 Implementation Notes: Because the Success might be lost, the
424 authenticator MUST allow repeated Response packets during the
425 Network-Layer Protocol phase after completing the
426 Authentication phase. To prevent discovery of alternative
427 Names and Secrets, any Response packets received having the
428 current Challenge Identifier MUST return the same reply Code
429 previously returned for that specific Challenge (the message
430 portion MAY be different). Any Response packets received
431 during any other phase MUST be silently discarded.
433 When the Failure is lost, and the authenticator terminates the
434 link, the LCP Terminate-Request and Terminate-Ack provide an
435 alternative indication that authentication failed.
452 RFC 1994 PPP CHAP August 1996
455 A summary of the Challenge and Response packet format is shown below.
456 The fields are transmitted from left to right.
458 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
459 | Code | Identifier | Length |
460 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
461 | Value-Size | Value ...
462 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
464 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
474 The Identifier field is one octet. The Identifier field MUST be
475 changed each time a Challenge is sent.
477 The Response Identifier MUST be copied from the Identifier field
478 of the Challenge which caused the Response.
482 This field is one octet and indicates the length of the Value
487 The Value field is one or more octets. The most significant octet
488 is transmitted first.
490 The Challenge Value is a variable stream of octets. The
491 importance of the uniqueness of the Challenge Value and its
492 relationship to the secret is described above. The Challenge
493 Value MUST be changed each time a Challenge is sent. The length
494 of the Challenge Value depends upon the method used to generate
495 the octets, and is independent of the hash algorithm used.
497 The Response Value is the one-way hash calculated over a stream of
498 octets consisting of the Identifier, followed by (concatenated
499 with) the "secret", followed by (concatenated with) the Challenge
500 Value. The length of the Response Value depends upon the hash
501 algorithm used (16 octets for MD5).
508 RFC 1994 PPP CHAP August 1996
513 The Name field is one or more octets representing the
514 identification of the system transmitting the packet. There are
515 no limitations on the content of this field. For example, it MAY
516 contain ASCII character strings or globally unique identifiers in
517 ASN.1 syntax. The Name should not be NUL or CR/LF terminated.
518 The size is determined from the Length field.
521 4.2. Success and Failure
525 If the Value received in a Response is equal to the expected
526 value, then the implementation MUST transmit a CHAP packet with
527 the Code field set to 3 (Success).
529 If the Value received in a Response is not equal to the expected
530 value, then the implementation MUST transmit a CHAP packet with
531 the Code field set to 4 (Failure), and SHOULD take action to
534 A summary of the Success and Failure packet format is shown below.
535 The fields are transmitted from left to right.
537 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
538 | Code | Identifier | Length |
539 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
541 +-+-+-+-+-+-+-+-+-+-+-+-+-
551 The Identifier field is one octet and aids in matching requests
552 and replies. The Identifier field MUST be copied from the
553 Identifier field of the Response which caused this reply.
564 RFC 1994 PPP CHAP August 1996
569 The Message field is zero or more octets, and its contents are
570 implementation dependent. It is intended to be human readable,
571 and MUST NOT affect operation of the protocol. It is recommended
572 that the message contain displayable ASCII characters 32 through
573 126 decimal. Mechanisms for extension to other character sets are
574 the topic of future research. The size is determined from the
579 Security Considerations
581 Security issues are the primary topic of this RFC.
583 The interaction of the authentication protocols within PPP are highly
584 implementation dependent. This is indicated by the use of SHOULD
585 throughout the document.
587 For example, upon failure of authentication, some implementations do
588 not terminate the link. Instead, the implementation limits the kind
589 of traffic in the Network-Layer Protocols to a filtered subset, which
590 in turn allows the user opportunity to update secrets or send mail to
591 the network administrator indicating a problem.
593 There is no provision for re-tries of failed authentication.
594 However, the LCP state machine can renegotiate the authentication
595 protocol at any time, thus allowing a new attempt. It is recommended
596 that any counters used for authentication failure not be reset until
597 after successful authentication, or subsequent termination of the
600 There is no requirement that authentication be full duplex or that
601 the same protocol be used in both directions. It is perfectly
602 acceptable for different protocols to be used in each direction.
603 This will, of course, depend on the specific protocols negotiated.
605 The secret SHOULD NOT be the same in both directions. This allows an
606 attacker to replay the peer's challenge, accept the computed
607 response, and use that response to authenticate.
609 In practice, within or associated with each PPP server, there is a
610 database which associates "user" names with authentication
611 information ("secrets"). It is not anticipated that a particular
612 named user would be authenticated by multiple methods. This would
613 make the user vulnerable to attacks which negotiate the least secure
614 method from among a set (such as PAP rather than CHAP). If the same
620 RFC 1994 PPP CHAP August 1996
623 secret was used, PAP would reveal the secret to be used later with
626 Instead, for each user name there should be an indication of exactly
627 one method used to authenticate that user name. If a user needs to
628 make use of different authentication methods under different
629 circumstances, then distinct user names SHOULD be employed, each of
630 which identifies exactly one authentication method.
632 Passwords and other secrets should be stored at the respective ends
633 such that access to them is as limited as possible. Ideally, the
634 secrets should only be accessible to the process requiring access in
635 order to perform the authentication.
637 The secrets should be distributed with a mechanism that limits the
638 number of entities that handle (and thus gain knowledge of) the
639 secret. Ideally, no unauthorized person should ever gain knowledge
640 of the secrets. Such a mechanism is outside the scope of this
646 David Kaufman, Frank Heinrich, and Karl Auerbach used a challenge
647 handshake at SDC when designing one of the protocols for a "secure"
648 network in the mid-1970s. Tom Bearson built a prototype Sytek
649 product ("Poloneous"?) on the challenge-response notion in the 1982-
650 83 timeframe. Another variant is documented in the various IBM SNA
651 manuals. Yet another variant was implemented by Karl Auerbach in the
652 Telebit NetBlazer circa 1991.
654 Kim Toms and Barney Wolff provided useful critiques of earlier
655 versions of this document.
657 Special thanks to Dave Balenson, Steve Crocker, James Galvin, and
658 Steve Kent, for their extensive explanations and suggestions. Now,
659 if only we could get them to agree with each other.
676 RFC 1994 PPP CHAP August 1996
681 [1] Simpson, W., Editor, "The Point-to-Point Protocol (PPP)", STD
682 51, RFC 1661, DayDreamer, July 1994.
684 [2] Reynolds, J., and J. Postel, "Assigned Numbers", STD 2, RFC
685 1700, USC/Information Sciences Institute, October 1994.
687 [3] Rivest, R., and S. Dusse, "The MD5 Message-Digest Algorithm",
688 MIT Laboratory for Computer Science and RSA Data Security,
689 Inc., RFC 1321, April 1992.
695 Comments should be submitted to the ietf-ppp@merit.edu mailing list.
697 This document was reviewed by the Point-to-Point Protocol Working
698 Group of the Internet Engineering Task Force (IETF). The working
699 group can be contacted via the current chair:
702 Ascend Communications
703 3518 Riverside Drive, Suite 101
710 Questions about this memo can also be directed to:
712 William Allen Simpson
714 Computer Systems Consulting Services
716 Madison Heights, Michigan 48071
719 wsimpson@GreenDragon.com (preferred)
projects / strongswan.git / blob