Technical data
120 Theoretical and general applications www.westermo.com
PAP works similarly to when a user logs in using a terminal, you state your user name
and password. Authentication only takes place once when the connection is being
established, never while communication is in progress.
… The PAP-procedure starts by one of the parties sending an Authenticate-
Request, containing name and password. This packet is repeated until the
opposite party responds.
… When the name and password are accepted the recipient answers with an
Authenticate-Ack. Otherwise an Authenticate-Nak is sent as the answer, and
the recipient disconnects the connection.
The fact that the name and password are transmitted in plain text over the link makes
PAP a relatively vulnerable authentication method. The password can be easily inter-
cepted through tapping, and there is no protection against repeated trial-and-error-
attacks.
CHAP involves significantly improved security compared to PAP.
CHAP uses an encrypted password in a three step procedure. Furthermore, authenti-
cation takes place partly when the link is established and this can then be repeated at
anytime. The idea behind the periodic repetition is to limit the time that the system is
open for an attack. It is always the authenticator (recipient) that determines how often
authentication takes places. The three steps of authentication are:
… When the link is established one of the parties (authenticator) sends a chal-
lenge to the peer.
… The peer calculates an encrypted value based on the challenge and its pass-
word. The encrypted value is returned to the authenticator.
… The authenticator makes an equivalent calculation (the challenge and the peer’s
password are known) and then compares the expected value with the value
from the peer. When the value is identical authentication is confirmed, other-
wise the connection is terminated.
B A C K