Challenge-Handshake Authentication Protocol (CHAP)

Challenge-Handshake Authentication Protocol (CHAP) is a remote access authentication protocol in which no password is directly transmitted. Instead, the client attempting to authenticate is issued a mathematical challenge value by the authenticator. The client then combines this challenge with its password and composes a one-way hash from the combined value. This hash is transmitted over the channel. The authenticator the recomputes the combined challenge and password hash, based on the password value it expects the client to have used. If the expected hash value occurs, the connection is authorized. This process is known as the CHAP three-way handshake.

CHAP is generally more secure than the alternative approach, Password Authentication Protocol (PAP). MS-CHAP is a variant of CHAP.

See RFC 1334.