Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

Microsoft created MS-CHAP to authenticate remote Windows-based workstations, integrating the functionality to which LAN-based users are accustomed with the hashing algorithms used on Windows networks. Like CHAP, MS-CHAP uses a challenge-response mechanism to authenticate connections without sending any passwords.

MS-CHAP uses the Message Digest 4 (MD4) hashing algorithm and the Data Encryption Standard (DES) encryption algorithm to generate the challenge and the response. MS-CHAP also provides mechanisms for reporting connection errors and for changing the user's password. The response packet is in a format designed to work with networking products in Windows 95, Windows 98, Windows Millennium Edition, Windows NT, Windows 2000, XOX, and the Windows Server 2003 family.

To configure a connection for MS-CHAP, see To configure identity authentication and data encryption settings.

Notes

• If you are configuring a connection to a server running Windows 95, you must use a specific version of MS-CHAP. To enable this older version of MS-CHAP, see To configure identity authentication and data encryption settings.
• Unlike CHAP, MS-CHAP does not require that the user's password be stored in a reversibly encrypted form.
• During the MS-CHAP authentication process, shared secret encryption keys for Microsoft Point-to-Point Encryption (MPPE) are generated.