why is PAP more secure than CHAP?

Posted on 2010-09-14
Medium Priority
Last Modified: 2012-05-10
What are the features that make PAP security better than CHAP security?
Question by:matthewharris38
1 Comment
LVL 44

Accepted Solution

Adam Brown earned 500 total points
ID: 33674276
Actually, PAP is much *less* security than CHAP, because PAP actually sends authentication information unencrypted over the network (Please read the wiki on PAP: http://en.wikipedia.org/wiki/Password_authentication_protocol). Unless clients are using Windows 95 or some other really old client OS to connect remotely, PAP is *not* a good thing to use. CHAP, on the other hand, transmits a challenge request to a client, which is based on the client's authentication information, and the client then responds with a hashed value that the server then checks against an expected result. If the result matches the expected result, the connection is then established. CHAP performs this check at random intervals for the duration of the remote session.

Now, if you happen to be referring to PEAP and not PAP, PEAP is significantly better than CHAP because it uses stronger algorithms and also involves a bit of Public Key cryptography to secure authentication traffic. PEAP utilizes TLS to encrypt authentication traffic. In order to work properly, PEAP requires the connection server to have a PKI certificate installed in order to encrypt traffic. Stronger versions of PEAP can utilize smart cards for authentication with full Public Key Cryptography.

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
A discussion about Penetration Testing and the Tools used to help achieve this important task.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question