HOME

TheInfoList



Click Here for Items Related To - MS-CHAP
OR:
MS-CHAP on:   [Wikipedia]   [Google]   [Amazon]

MS-CHAP is the
Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...
version of the
Challenge-Handshake Authentication Protocol In computing, the Challenge-Handshake Authentication Protocol (CHAP) is an authentication protocol originally used by Point-to-Point Protocol (PPP) to validate users. CHAP is also carried in other authentication protocols such as RADIUS and Diamete ...
, (CHAP).


Versions

The protocol exists in two versions, MS-CHAPv1 (defined in ) and MS-CHAPv2 (defined in ). MS-CHAPv2 was introduced with pptp3-fix that was included in Windows NT 4.0 SP4 and was added to
Windows 98 Windows 98 is a consumer-oriented operating system developed by Microsoft as part of its Windows 9x family of Microsoft Windows operating systems. It was the second operating system in the 9x line, as the successor to Windows 95. It was Software ...
in the "Windows 98 Dial-Up Networking Security Upgrade Release" and
Windows 95 Windows 95 is a consumer-oriented operating system developed by Microsoft and the first of its Windows 9x family of operating systems, released to manufacturing on July 14, 1995, and generally to retail on August 24, 1995. Windows 95 merged ...
in the "Dial Up Networking 1.3 Performance & Security Update for MS Windows 95" upgrade.
Windows Vista Windows Vista is a major release of the Windows NT operating system developed by Microsoft. It was the direct successor to Windows XP, released five years earlier, which was then the longest time span between successive releases of Microsoft W ...
dropped support for MS-CHAPv1.


Applications

MS-CHAP is used as one authentication option in Microsoft's implementation of the PPTP protocol for
virtual private network Virtual private network (VPN) is a network architecture for virtually extending a private network (i.e. any computer network which is not the public Internet) across one or multiple other networks which are either untrusted (as they are not con ...
s. It is also used as an authentication option with
RADIUS In classical geometry, a radius (: radii or radiuses) of a circle or sphere is any of the line segments from its Centre (geometry), center to its perimeter, and in more modern usage, it is also their length. The radius of a regular polygon is th ...
servers which are used with IEEE 802.1X (e.g.,
WiFi Wi-Fi () is a family of wireless network protocols based on the IEEE 802.11 family of standards, which are commonly used for Wireless LAN, local area networking of devices and Internet access, allowing nearby digital devices to exchange data by ...
security using the WPA-Enterprise protocol). It is further used as the main authentication option of the
Protected Extensible Authentication Protocol : ''PEAP is also an acronym for Personal Egress Air Packs.'' The Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encry ...
(PEAP).


Features

Compared with CHAP, MS-CHAP: works by negotiating CHAP Algorithm 0x80 (0x81 for MS-CHAPv2) in LCP option 3, Authentication Protocol. It provides an authenticator-controlled password change mechanism. It provides an authenticator-controlled authentication retry mechanism and defines failure codes returned in the Failure packet message field. MS-CHAPv2 provides mutual authentication between peers by piggybacking a peer challenge on the response packet and an authenticator response on the success packet. MS-CHAP requires each peer to either know the plaintext password, or an MD4 hash of the password, and does not transmit the password over the link. As such, it is not compatible with most password storage formats.


Flaws

Weaknesses have been identified in MS-CHAP and MS-CHAPv2. The DES encryption used in NTLMv1 and MS-CHAPv2 to encrypt the
NTLM In a Windows network, NT (New Technology) LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft ...
password hash enable custom hardware attacks utilizing the method of brute force. As of 2012, MS-CHAP had been completely broken. The divide-and-conquer attack only requires breaking a single DES key, which is not difficult with modern GPUs and
FPGA A field-programmable gate array (FPGA) is a type of configurable integrated circuit that can be repeatedly programmed after manufacturing. FPGAs are a subset of logic devices referred to as programmable logic devices (PLDs). They consist of a ...
s. MS-CHAP as a whole can be viewed as a smoke-and-mirrors protocol, in that ~80% of the protocol provides no real security; it just makes the construction very complicated and thus appear infeasible to crack. In reality, this ~80% is either plaintext messages, or messages easily derived from those sent in plaintext. The actual security core is reduced to the NTLM password hash and DES encryptions keyed by the hash output, which is fundamentally weak. After
Windows 11 Windows 11 is a version of Microsoft's Windows NT operating system, released on October 5, 2021, as the successor to Windows 10 (2015). It is available as a free upgrade for devices running Windows 10 that meet the #System requirements, Windo ...
22H2, with the default activation of Windows Defender Credential Guard, users can no longer authenticate with MSCHAPv2. The developers recommend a move from MSCHAPv2-based connections to certificate-based authentication (such as PEAP-TLS or
EAP-TLS Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in , which made obsolete, and is updated by . EAP is an authentication framework for providing the transport ...
).


See also

*
EFF DES cracker In cryptography, the EFF DES cracker (nicknamed "Deep Crack") is a machine built by the Electronic Frontier Foundation (EFF) in 1998, to perform a brute force search of the Data Encryption Standard (DES) cipher's key space – that is, to dec ...


References

{{Authentication APIs Broken cryptography algorithms Internet protocols Microsoft Windows security technology Computer access control protocols