Appendix D: A uthentication in CHAP, MS-CHAP, and MS- CHAP v2 Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2002 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, BizTalk, PowerPoint, Visio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Appendix D: Authentication in CHAP, MS-CHAP, and MS-CHAP v2 1 CHAP Challenge Handshake Authentication Protocol (CHAP) authentication is an exchange of three messages: 1. The remote access server sends a CHAP Challenge message containing a session ID and an arbitrary challenge string. 2. The remote access client returns a CHAP Response message containing the user name in plain text and a hash of the challenge string, session ID, and the client's password using the MD5 one-way hashing algorithm. 3. The remote access server duplicates the hash and compares it to the hash in the CHAP Response. If the hashes are the same, the remote access server sends back a CHAP Success message. If the hashes are different, a CHAP Failure message is sent. MS-CHAP MS-CHAP authentication is an exchange of three messages: 1. The remote access server sends an MS-CHAP Challenge message containing a session ID and an arbitrary challenge string. 2. The remote access client returns an MS-CHAP Response message containing the user name in plain text and a hash of the challenge string, session ID, and the MD4 hash of the client's password using the MD4 one-way hashing algorithm. 3. The remote access server duplicates the hash and compares it to the hash in the MS-CHAP Response. If the hashes are the same, the remote access server sends back an MS-CHAP Success message. If the hashes are different, an MS-CHAP Failure message is sent. 2 Appendix D: Authentication in CHAP, MS-CHAP, and MS-CHAP v2 MS-CHAP v2 MS-CHAP v2 authentication is an exchange of four steps: 1. The remote access server sends an MS-CHAP v2 Challenge message to the remote access client that consists of a session identifier and an arbitrary challenge string. 2. The remote access client sends an MS-CHAP v2 Response message that contains: • The user name. • An arbitrary peer challenge string. • A Secure Hash Algorithm (SHA) hash of the received challenge string, the peer challenge string, the session identifier, and the MD4-hashed version of the user's password. 3. The remote access server checks the MS-CHAP v2 Response message from the client and sends back an MS-CHAP v2 Response message that contains: • An indication of the success or failure of the connection attempt. • An authenticated response based on the sent challenge string, the peer challenge string, the client's encrypted response, and the user's password. 4. The remote access client verifies the authentication response and, if it is correct, uses the connection. If the authentication response is not correct, the remote access client terminates the connection. . Appendix D: A uthentication in CHAP, MS -CHAP, and MS- CHAP v2 Information in this document, including URL and other Internet Web. owners. Appendix D: Authentication in CHAP, MS -CHAP, and MS-CHAP v2 1 CHAP Challenge Handshake Authentication Protocol (CHAP) authentication