PAP (Password Authentication Protocol) is a simple plaintext authentication method. NAS (Network Access Server) requires users to provide user names and passwords, and PAP returns user information in plaintext. Obviously, this authentication method is less secure. A third party can easily obtain the transferred user name and password, and use this information to establish a connection with Nas to obtain all the resources provided by Nas. Therefore, once a user's password is stolen by a third party, Pap cannot provide protection measures to avoid being attacked by a third party.
Chap (challenge-handshake verification protocol challenge-Handshake Authentication Protocol) is an encrypted authentication method that prevents the user's real password from being transmitted when a connection is established. NAS sends a challenge password (Challenge) to remote users, including the session ID and an arbitrary challenge string (arbitrary challengestring ). Remote customers must use MD5 one-way hashAlgorithm(One-way hashing algorithm) returns the user name and the challenge password for encryption, session ID, and user password. The user name is sent in non-Hash mode.
Chap improves pap and does not directly send plaintext passwords through links. Instead, it uses challenge passwords to encrypt passwords using hash algorithms. Because the server contains the client's plaintext password, the server can repeat the operations performed by the client and compare the results with the password returned by the user. Chap generates a challenge string for each verification to prevent replay attacks (replay attack ). Throughout the connection process, chap repeatedly sends the challenge password to the client from time to prevent the remote client impersonation attack by the 3rd party.
For more information about chap, see rfc1994.