HP ProCurve 7000dl Series Basic Management And Configuration Manual page 308

Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces
Configuring the Logical Interface
6-12
PAP. PAP is the simplest possible authentication scheme. It requires a two-
way message exchange. One peer sends the password previously agreed upon
to the other peer, which is called the authenticator. The authenticator looks
up the password in its database. If the password matches, the authenticator
returns an authentication acknowledge. The two peers can then send NCPs
to negotiate the Network Layer protocols. If this negotiation is successful, the
PPP session is established.
With PAP, the two peers authenticate only once, and the username and
password are sent in clear text across the connecting private circuit. Because
PAP sends the password directly over the wire, anyone capable of tapping into
the wire can intercept it.
CHAP. CHAP solves the security problem of PAP by hashing the password
and sending the hash value instead of the password over the wire. CHAP
follows the process shown in Figure 6-4:
1. The authenticator challenges the peer.
2. The peer combines its password with a string of text and calculates a hash
value using the Message Digest 5 (MD5) algorithm. (The password is
irreversibly encrypted.) The peer sends the hash value to the
authenticator.
3. The authenticator knows both the agreed-upon string of text and the
peer's password. The authenticator performs the same hashing calcula-
tion and compares its hash value to the hash value sent by the peer.
4. If the hash values match, the authenticator acknowledges the peer, and
the peers proceed to exchange NCPs. If the hash values do not match, the
authenticator continues to issue challenges until the peer returns a match-
ing hash value or runs out of retry attempts.
Because the encryption prevents hackers from hijacking a password, CHAP
provides increased security. In addition, CHAP requires peers to reauthen-
ticate themselves from time to time.