rfc1994.txt

RFC 的详细文档！

Network Working Group                                         W. Simpson
Request for Comments: 1994                                    DayDreamer
Obsoletes: 1334                                              August 1996
Category: Standards Track


         PPP Challenge Handshake Authentication Protocol (CHAP)


Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   The Point-to-Point Protocol (PPP) [1] provides a standard method for
   transporting multi-protocol datagrams over point-to-point links.

   PPP also defines an extensible Link Control Protocol, which allows
   negotiation of an Authentication Protocol for authenticating its peer
   before allowing Network Layer protocols to transmit over the link.

   This document defines a method for Authentication using PPP, which
   uses a random Challenge, with a cryptographically hashed Response
   which depends upon the Challenge and a secret key.

Table of Contents

     1.     Introduction ..........................................    1
        1.1       Specification of Requirements ...................    1
        1.2       Terminology .....................................    2
     2.     Challenge-Handshake Authentication Protocol ...........    2
        2.1       Advantages ......................................    3
        2.2       Disadvantages ...................................    3
        2.3       Design Requirements .............................    4
     3.     Configuration Option Format ...........................    5
     4.     Packet Format .........................................    6
        4.1       Challenge and Response ..........................    7
        4.2       Success and Failure .............................    9
     SECURITY CONSIDERATIONS ......................................   10
     ACKNOWLEDGEMENTS .............................................   11
     REFERENCES ...................................................   12
     CONTACTS .....................................................   12




Simpson                                                         [Page i]

RFC 1994                        PPP CHAP                     August 1996


1.  Introduction

   In order to establish communications over a point-to-point link, each
   end of the PPP link must first send LCP packets to configure the data
   link during Link Establishment phase.  After the link has been
   established, PPP provides for an optional Authentication phase before
   proceeding to the Network-Layer Protocol phase.

   By default, authentication is not mandatory.  If authentication of
   the link is desired, an implementation MUST specify the
   Authentication-Protocol Configuration Option during Link
   Establishment phase.

   These authentication protocols are intended for use primarily by
   hosts and routers that connect to a PPP network server via switched
   circuits or dial-up lines, but might be applied to dedicated links as
   well.  The server can use the identification of the connecting host
   or router in the selection of options for network layer negotiations.

   This document defines a PPP authentication protocol.  The Link
   Establishment and Authentication phases, and the Authentication-
   Protocol Configuration Option, are defined in The Point-to-Point
   Protocol (PPP) [1].


1.1.  Specification of Requirements

   In this document, several words are used to signify the requirements
   of the specification.  These words are often capitalized.

   MUST      This word, or the adjective "required", means that the
             definition is an absolute requirement of the specification.

   MUST NOT  This phrase means that the definition is an absolute
             prohibition of the specification.

   SHOULD    This word, or the adjective "recommended", means that there
             may exist valid reasons in particular circumstances to
             ignore this item, but the full implications must be
             understood and carefully weighed before choosing a
             different course.

   MAY       This word, or the adjective "optional", means that this
             item is one of an allowed set of alternatives.  An
             implementation which does not include this option MUST be
             prepared to interoperate with another implementation which
             does include the option.




Simpson                                                         [Page 1]

RFC 1994                        PPP CHAP                     August 1996


1.2.  Terminology

   This document frequently uses the following terms:

   authenticator
             The end of the link requiring the authentication.  The
             authenticator specifies the authentication protocol to be
             used in the Configure-Request during Link Establishment
             phase.

   peer      The other end of the point-to-point link; the end which is
             being authenticated by the authenticator.

   silently discard
             This means the implementation discards the packet without
             further processing.  The implementation SHOULD provide the
             capability of logging the error, including the contents of
             the silently discarded packet, and SHOULD record the event
             in a statistics counter.




2.  Challenge-Handshake Authentication Protocol

   The Challenge-Handshake Authentication Protocol (CHAP) is used to
   periodically verify the identity of the peer using a 3-way handshake.
   This is done upon initial link establishment, and MAY be repeated
   anytime after the link has been established.

   1.    After the Link Establishment phase is complete, the
         authenticator sends a "challenge" message to the peer.

   2.    The peer responds with a value calculated using a "one-way
         hash" function.

   3.    The authenticator checks the response against its own
         calculation of the expected hash value.  If the values match,
         the authentication is acknowledged; otherwise the connection
         SHOULD be terminated.

   4.    At random intervals, the authenticator sends a new challenge to
         the peer, and repeats steps 1 to 3.








Simpson                                                         [Page 2]

RFC 1994                        PPP CHAP                     August 1996


2.1.  Advantages

   CHAP provides protection against playback attack by the peer through
   the use of an incrementally changing identifier and a variable
   challenge value.  The use of repeated challenges is intended to limit
   the time of exposure to any single attack.  The authenticator is in
   control of the frequency and timing of the challenges.

   This authentication method depends upon a "secret" known only to the
   authenticator and that peer.  The secret is not sent over the link.

   Although the authentication is only one-way, by negotiating CHAP in
   both directions the same secret set may easily be used for mutual
   authentication.

   Since CHAP may be used to authenticate many different systems, name
   fields may be used as an index to locate the proper secret in a large
   table of secrets.  This also makes it possible to support more than
   one name/secret pair per system, and to change the secret in use at
   any time during the session.


2.2.  Disadvantages

   CHAP requires that the secret be available in plaintext form.
   Irreversably encrypted password databases commonly available cannot
   be used.

   It is not as useful for large installations, since every possible
   secret is maintained at both ends of the link.

      Implementation Note: To avoid sending the secret over other links
      in the network, it is recommended that the challenge and response
      values be examined at a central server, rather than each network
      access server.  Otherwise, the secret SHOULD be sent to such
      servers in a reversably encrypted form.  Either case requires a
      trusted relationship, which is outside the scope of this
      specification.













Simpson                                                         [Page 3]

RFC 1994                        PPP CHAP                     August 1996


2.3.  Design Requirements

   The CHAP algorithm requires that the length of the secret MUST be at
   least 1 octet.  The secret SHOULD be at least as large and
   unguessable as a well-chosen password.  It is preferred that the
   secret be at least the length of the hash value for the hashing
   algorithm chosen (16 octets for MD5).  This is to ensure a
   sufficiently large range for the secret to provide protection against
   exhaustive search attacks.

   The one-way hash algorithm is chosen such that it is computationally
   infeasible to determine the secret from the known challenge and
   response values.

   Each challenge value SHOULD be unique, since repetition of a
   challenge value in conjunction with the same secret would permit an
   attacker to reply with a previously intercepted response.  Since it
   is expected that the same secret MAY be used to authenticate with
   servers in disparate geographic regions, the challenge SHOULD exhibit
   global and temporal uniqueness.

   Each challenge value SHOULD also be unpredictable, least an attacker
   trick a peer into responding to a predicted future challenge, and
   then use the response to masquerade as that peer to an authenticator.

   Although protocols such as CHAP are incapable of protecting against
   realtime active wiretapping attacks, generation of unique
   unpredictable challenges can protect against a wide range of active
   attacks.

   A discussion of sources of uniqueness and probability of divergence
   is included in the Magic-Number Configuration Option [1].



















Simpson                                                         [Page 4]

RFC 1994                        PPP CHAP                     August 1996


3.  Configuration Option Format

   A summary of the Authentication-Protocol Configuration Option format
   to negotiate the Challenge-Handshake Authentication Protocol is shown
   below.  The fields are transmitted from left to right.

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |    Length     |     Authentication-Protocol   |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Algorithm   |
   +-+-+-+-+-+-+-+-+

   Type

      3

   Length

      5

   Authentication-Protocol

      c223 (hex) for Challenge-Handshake Authentication Protocol.

   Algorithm

      The Algorithm field is one octet and indicates the authentication
      method to be used.  Up-to-date values are specified in the most
      recent "Assigned Numbers" [2].  One value is required to be
      implemented:

         5       CHAP with MD5 [3]



















Simpson                                                         [Page 5]

RFC 1994                        PPP CHAP                     August 1996


4.  Packet Format

   Exactly one Challenge-Handshake Authentication Protocol packet is
   encapsulated in the Information field of a PPP Data Link Layer frame
   where the protocol field indicates type hex c223 (Challenge-Handshake
   Authentication Protocol).  A summary of the CHAP packet format is
   shown below.  The fields are transmitted from left to right.

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Code      |  Identifier   |            Length             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Data ...
   +-+-+-+-+

   Code

      The Code field is one octet and identifies the type of CHAP
      packet.  CHAP Codes are assigned as follows:

         1       Challenge
         2       Response
         3       Success
         4       Failure

   Identifier