Although no network can be made perfectly secure from intrusion, PAP and CHAP do provide at least a minimum set of "front-door keys" that can help protect your network. The limitations of each method are described below:
PAP is a simple method where the remote node establishes its identity using a "two-way handshake." The remote tries to log in, and if the User Name/Password pair are correct, the host acknowledges the remote. With this method, all handshaking is done only when the Data Link is established.
PAP is not a robust authentication protocol. Passwords are sent across the link in plain text and there is no protection from someone recording the User Name/Password pair during the initial handshaking. Also, if the Passwords chosen are not very "strong" (i.e., User Name = username, Password = password), an intruder may be able to just guess the correct combination.
CHAP is used to periodically verify the identity of the remote node using a "three-way handshake." This is first done when the Data Link is established and is repeated at random times afterwards whenever the Link is "up."
Once the Data Link is established, the host sends a "challenge" message to the remote. The remote performs a calculation on the challenge message and returns it to the host. The host verifies that the response is legitimate and then acknowledges the remote. If the calculation is wrong, the remote is disconnected.
This improves on the PAP method because an intruder cannot just echo the User Name/Password pair back to the host to gain access. Since the challenges are sent at random, the remote must be able to calculate the response quickly or else the Data Link is terminated. This limits the exposure time of the network to possible attack. Even if an intruder gained initial access to the system, it is not likely that they could keep up with the challenge messages unless they actually had the correct User Name/Password pair.
| The CHM file was converted to HTML by chm2web software. |