In computing, the Challenge-Handshake Authentication Protocol (CHAP) is an authentication protocol used to log on a user to an Internet access provider.

It is defined in RFC 1994.

CHAP is used to periodically verify the identity of the client by using a 3-way handshake. This is done upon initial link establishment, and MAY be repeated anytime after the link has been established. The client and the server share a secret from before (like client's password).

1. After the Link Establishment phase is complete, the authenticator sends a "challenge" message to the peer.
2. The peer responds with a value calculated using a "one-way hash" function.
3. The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise the connection should be terminated.
4. At random intervals, the authenticator sends a new challenge to the peer, and repeats steps 1 to 3.

See also

• Password Authentication Protocol
• Challenge-response test