MS-CHAP

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

MS-CHAP is the Microsoft version of the Challenge-Handshake Authentication Protocol, CHAP. The protocol exists in two versions, MS-CHAPv1 (defined in RFC 2433) and MS-CHAPv2 (defined in RFC 2759). MS-CHAPv2 was introduced with Windows NT 4.0 SP4 and was added to Windows 98 in the "Windows 98 Dial-Up Networking Security Upgrade Release"[1] and Windows 95 in the "Dial Up Networking 1.3 Performance & Security Update for MS Windows 95" upgrade. Windows Vista dropped support for MS-CHAPv1.

MS-CHAP is used as one authentication option in Microsoft's implementation of the PPTP protocol for virtual private networks. It is also used as an authentication option with RADIUS[2] servers which are used with IEEE 802.1X (e.g., WiFi security using the WPA-Enterprise protocol). It is further used as the main authentication option of the Protected Extensible Authentication Protocol (PEAP).

Compared with CHAP,[3] MS-CHAP:[4][5]

  • is enabled by negotiating CHAP Algorithm 0x80 (0x81 for MS-CHAPv2) in LCP option 3, Authentication Protocol
  • provides an authenticator-controlled password change mechanism
  • provides an authenticator-controlled authentication retry mechanism
  • defines failure codes returned in the Failure packet message field

MS-CHAPv2 provides mutual authentication between peers by piggybacking a peer challenge on the Response packet and an authenticator response on the Success packet.

Cryptanalysis[edit]

Several weaknesses have been identified in MS-CHAP and MS-CHAPv2[6]. The DES encryption used in NTLMv1 to encrypt the NTLM password hash make custom hardware attacks utilizing the method of brute force feasible. In 2012 the complexity of breaking MS-CHAPv2 has been reduced to that of breaking a single 56-bit DES key encryption[7].

See also[edit]

References[edit]

  1. ^ "Windows 98 Dial-Up Networking Security Upgrade Release Notes (August 1998)". Support. Microsoft. August 1998.
  2. ^ Microsoft Vendor-specific RADIUS Attributes. doi:10.17487/RFC2548. RFC 2548. https://tools.ietf.org/html/rfc2548. 
  3. ^ PPP Challenge Handshake Authentication Protocol (CHAP). doi:10.17487/RFC1994. RFC 1994. https://tools.ietf.org/html/rfc1994. 
  4. ^ Microsoft PPP CHAP Extensions. doi:10.17487/RFC2433. RFC 2433. https://tools.ietf.org/html/rfc2433. 
  5. ^ Microsoft PPP CHAP Extensions, Version 2. doi:10.17487/RFC2759. RFC 2759. https://tools.ietf.org/html/rfc2759. 
  6. ^ Schneier, Bruce; Mudge; Wagner, David (19 October 1999). "Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2)" (PDF). schneier.com.
  7. ^ Eisinger, Jochen (23 July 2001). "Exploiting known security holes in Microsoft's PPTP Authentication Extensions (MS-CHAPv2)" (PDF). penguin-breeder.org.