CHAP

Challenge Handshake Authentication Protocol

Security →
Introduced in Rel-4 Also in: Services

CHAP is a three-way authentication protocol used in 3GPP systems to securely verify the identity of network points and user equipment during connection setup, employing a challenge-response mechanism without sending clear-text passwords.

Category
Security
Introduced
Rel-4
Where
Core Network › 5G Core
Also touches
1 segments
Specifications
8 specs
CHAP Description Purpose Related Classification Detected Changes Specifications

Description

The Challenge Handshake Authentication Protocol (CHAP) is a Point-to-Point Protocol (PPP) authentication mechanism that provides secure identity verification through a three-way handshake process. Unlike basic password authentication, CHAP never transmits the actual password over the network, instead using cryptographic hashing to prove knowledge of the shared secret. The protocol operates through a challenge-response mechanism where the authenticator sends a random challenge value to the peer, which then computes a response using a one-way hash function (typically MD5) applied to the challenge combined with the shared secret. This response is sent back to the authenticator, which performs the same calculation and compares results to verify the peer's identity.

CHAP's architecture involves three main components: the authenticator (network side), the peer (client side), and a shared secret known to both parties. The protocol begins with the authenticator generating a random challenge value and sending it to the peer. The peer calculates the response by applying the hash function to the concatenation of the challenge, the shared secret, and an identifier. This response is transmitted back to the authenticator, which independently computes the expected value using its stored copy of the shared secret. If the values match, authentication succeeds; otherwise, the connection is terminated.

In 3GPP systems, CHAP is implemented within various network elements and interfaces to secure different types of connections. It's particularly important for Packet Data Protocol (PDP) context activation, where it authenticates mobile devices attempting to establish data sessions. The protocol supports periodic re-authentication, where the authenticator can send new challenges at random intervals during an established connection to ensure the peer's continued legitimacy. This prevents session hijacking and ensures that only authenticated devices maintain network access.

CHAP's implementation in 3GPP networks follows specific adaptations defined in technical specifications, including proper integration with authentication, authorization, and accounting (AAA) servers and home subscriber servers (HSS). The protocol works in conjunction with other security mechanisms like EAP (Extensible Authentication Protocol) and is often used as part of broader authentication frameworks. Its design ensures compatibility with various network architectures while maintaining strong security properties through proper key management and cryptographic operations.

The protocol's effectiveness depends on proper implementation of several security practices: using sufficiently long and random challenge values, maintaining the confidentiality of shared secrets, employing strong hash functions, and implementing proper error handling. CHAP's simplicity and effectiveness have made it a foundational authentication mechanism in telecommunications networks, providing reliable identity verification while minimizing exposure of sensitive credentials during transmission.

Purpose & Motivation

CHAP was developed to address significant security vulnerabilities in early network authentication methods, particularly those that transmitted passwords in clear text or used weak cryptographic protection. Before CHAP, authentication protocols like PAP (Password Authentication Protocol) sent credentials without encryption, making them susceptible to interception and replay attacks. The telecommunications industry needed a more robust authentication mechanism that could protect against eavesdropping, man-in-the-middle attacks, and credential theft while maintaining reasonable computational overhead.

The protocol's creation was motivated by the growing need for secure remote access in dial-up and emerging data networks during the 1990s. As telecommunications networks evolved from circuit-switched voice to packet-switched data services, the risk of unauthorized access increased significantly. CHAP provided a standardized way to authenticate devices and users without exposing sensitive information, using cryptographic techniques that were computationally feasible for the hardware of that era. Its design specifically addressed the limitations of previous approaches by eliminating password transmission and incorporating protection against replay attacks through random challenges.

In 3GPP systems, CHAP serves critical functions in securing mobile data connections, particularly for GPRS and subsequent packet data services. It authenticates user equipment during PDP context activation, ensuring that only authorized devices can access network resources. The protocol also supports roaming scenarios where authentication must be performed across different network operators' domains. By providing a standardized authentication framework, CHAP enables interoperability between equipment from different vendors while maintaining consistent security levels across diverse network deployments.

Classification

Part ofAAA
Related approachesPAPEAP

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (131 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-4, normative work from Rel-15.

Rel-15 26 changes

In Release 15, the CHAP function was enhanced within the 5G primary authentication procedures, specifically for EAP-AKA' and 5G-AKA. The changes included the mandatory inclusion of the EAP message IE in PDU SESSION AUTHENTICATION messages and the introduction of ABBA (Anti-Bidding down Between Architectures) parameter handling to secure the authentication process. Additionally, corrections were made to the format and length of authentication parameters, such as fixing the length of the authentication response parameter IE.

  • Addition of ABBA in 5G based primary authentication procedure TS 24.501CR0036
  • Wrong "slogan" for cause value 98, message not compatible with protocol state TS 24.008CR3134
  • Exchange of extended protocol configuration options TS 24.501CR0023
  • Authentication for normal services not accepted by network TS 24.501CR0035
  • Authentication Response TS 24.501CR0048
  • Corrections for authentication TS 24.501CR0092

+ 20 more changes

Rel-16 30 changes

In Release 16, the CHAP function was enhanced to support network slice-specific authentication and authorization, introducing procedures for pending NSSAI and handling failures or revocation. It also expanded primary authentication by extending the usage of EAP-AKA' and EAP-TLS and adding support for other EAP methods beyond these. Furthermore, new capabilities were added for the primary authentication of N5GC devices and for DN-AAA re-authentication.

  • Port management information container: Delivery via the NAS protocol and coding TS 24.501CR1470
  • Slice-specific authentication and authorization procedure TS 24.501CR1450
  • Primary authentication using EAP methods other than EAP-AKA' and EAP-TLS TS 24.501CR1510
  • Extensions of EAP-TLS usage in primary authentication TS 24.501CR1512
  • Extensions of EAP-AKA' usage in primary authentication TS 24.501CR1513
  • Primary authentication of an N5GC device TS 24.501CR2218

+ 24 more changes

Rel-17 55 changes

In Release 17, the CHAP (Challenge Handshake Authentication Protocol) function was enhanced to support non-transparent access to a Data Network (DN) using PAP/CHAP, as detailed in new RADIUS and Diameter message flows for successful authentication cases. This update specifically integrated PAP/CHAP procedures into the secondary authentication and authorization framework for PDU sessions. The changes provided a standardized method for employing these legacy protocols within 5G networks for specific access scenarios.

  • The impact on UE due to the introduction of Authentication and Key Management for Applications (AKMA) TS 24.501CR2794
  • SNN verification for SNPN supporting AAA-Server for primary authentication and authorization TS 24.501CR3137
  • "List of subscriber data" handling for SNPN supporting AAA-Server for primary authentication and authorization TS 24.501CR3133
  • Authentication handling TS 24.501CR3387
  • 5GSM protocol update for redundant PDU sessions TS 24.501CR3671
  • Usage of indication to use MSK for derivation of KAUSF after success of primary authentication and key agreement procedure TS 24.501CR3843

+ 49 more changes

Rel-18 17 changes

In Release 18, the CHAP function was enhanced to introduce authentication and key agreement procedures for new 5G ProSe scenarios, specifically for UE-to-UE relay and for U2N relay UEs in NORMAL-SERVICE state. The release also brought protocol description support and corrections, along with clarifications for handling authentication failures and protocol errors for specific information element containers. Furthermore, it expanded support for secondary DN authentication and authorization in EPS interworking use cases.

  • Introducing the secondary DN authentication and authorization over EPC support indicator TS 24.008CR3322
  • Protocol error handling enhancements for Type 6 IE container IEs TS 24.501CR5031
  • Authentication for AUN3 devices supporting 5G key hierarchy TS 24.501CR5811
  • Impact on NAS signalling for supporting authentication of AUN3 devices supporting and not supporting 5G key hierarchy TS 24.501CR5812
  • Authentication and key agreement procedure for 5G ProSe UE-to-UE relay TS 24.501CR5820
  • Protocol description support TS 24.501CR5973

+ 11 more changes

Rel-19 3 changes

In Release 19, the updates to the CHAP function focused on specific corrections to authentication procedures. These included clarifying requirements for resetting an attempt counter upon receiving an authentication reject message and correcting the handling of the AUTHENTICATION REJECT message by a UE configured with the T3245 timer. Additionally, a correction was made to the information element length for the Service-level AA container within the Service-level authentication command and complete messages.

  • Corrected requirements for attempt counter reset at authentication reject TS 24.501CR6675
  • Correction in handling AUTHENTICATION REJECT message by a UE configured to use T3245 TS 24.501CR7066
  • Correction of IE length for Service-level AA container in Service-level authentication command/complete message TS 24.501CR7092

Explore further

Broader topics and technologies where CHAP plays a role.

Topics
SON (Self-Organizing Networks)OAM (Operations & Maintenance)Authentication (5G-AKA, EAP)Encryption & IntegrityRoaming & InterconnectMEC (Edge Computing)

Defining Specifications

3GPP specifications that define or reference CHAP, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TR 21.905 vj00 3GPP Technical Terms and Definitions Rel-19
TS 23.179 vd50 MCPTT Functional Architecture Rel-13
TS 23.379 vk00 MCPTT Functional Architecture Rel-20
TS 24.008 vj50 3GPP TS 24008: Core Network Protocols Rel-19
TS 24.501 vj50 5G NAS Protocols Specification Rel-19
TS 29.061 vj00 Packet Domain Interworking for PLMN Rel-19
TS 29.561 vj30 5G Interworking with External Data Networks Rel-19
TS 32.808 v1800 Common User Profile Storage Framework Rel-8