Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

Microsoft created MS-CHAP to authenticate remote Windows workstations, providing the functionality to which LAN-based users are accustomed while integrating the hashing algorithms used on Windows networks. Like CHAP, MS-CHAP uses a challenge-response mechanism to keep the password from being sent during the authentication process.

MS-CHAP uses the Message Digest 4 (MD4) hashing algorithm and the Data Encryption Standard (DES) encryption algorithm to generate the challenge and response and provides mechanisms for reporting connection errors and for changing the user's password. The response packet is in a format specifically designed to work with networking products in Windows 95, Windows 98, Windows Millennium Edition, Windows NT, Windows 2000, and Windows XP.


A version of MS-CHAP is available specifically for connecting to a server running Windows 95. You must use this version if your connection is to a server running Windows 95. To enable this version, select the Allow older MS-CHAP version for Windows 95 servers check box on the Advanced Security Settings dialog box.

Unlike CHAP, MS-CHAP does not require that the user account's password be stored in a reversibly encrypted form.

During the MS-CHAP authentication process, shared secret encryption keys for Microsoft Point-to-Point Encryption (MPPE) are generated.

Related Topics

Configure identity authentication and data encryption settings for a dial-up connection

Configure identity authentication and data encryption settings for a VPN connection

© 2016 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy & Cookies