A point to point or PPP for short is a layer 2 protocol used in computer networking to directly connect two nodes. PAP and CHAP are used not to encrypt data, but so that the nodes will confirm the truth about themselves before data can be transmitted.
Password Authentication Protocol or PAP is rarely used now a day. PAP is less secure and, like TELNET, sends password in plain (clear) text over the medium. With a simple password sniffer a hacker can steal the password, and we all know what happen next.
CHAP, the Challenge Handshake Authentication Protocol is more secure and almost unbreakable. Here is how it works: CHAP will never send the password over the medium. Although it is configured on both nodes, it will send the username and a password hash instead!!!
CHAP does not use encryption at all, hashing is different from encryption. Encryption will scrambled the original data from the source, and the receiving node will use a decryption formula to decrypt and get the original data.
Let’s see this on a Cisco router. Password configuration on the router
After we have configured the enable and the secret passwords, and issued the service password-encryption command, the show run is as shown below
Now we can simply search for a Cisco type 7 password decrypter over the internet, copy and paste the encrypted password and get it in clear text as seen below
Encryption can be reversed or broken, thus recommended to use. Hashing uses an irreversible encrypted formula to come up with a value, and the value is then sent over the medium to the receiving node. Remember that this is not encrypting but hashing.
The only way the receiving router will be able to authenticate is if it has the same password configured. The same password configuration will generate the same hash on both nodes.
Therefore, for CHAP to work correctly over PPP, we have to have the same password configured on the sending and receiving machine. The technique that the password is never sent over the link, but the hash which is the result of a mathematical formula is. See below
Back to the routers screen shots
The enable secret password with a 5 represents and MD5 hashing, so secure that It can’t be reversed.
This concept of PPP authentication came up this morning at 3.20 when I was watching a video, so I decided to share it. I know there is a lot more on to it, but thinking back I remember not to have focused on this concept on the CCNA. To finish, it is not recommended to use the enable password, but the secret password instead. Although the service encryption command encrypts the first, it is easily reversible. In the other hand the later, the secret password uses MD5 hash and the password is never sent over the wire. In order for authentication to succeed, the same password must be configured on both nodes.
Thank you for your comments and questions...
