PAP is a two-way handshake that provides a simple method for a remote node to establish its identity. PAP is done only upon initial link establishment.
After the PPP link establishment phase is complete, a username and password pair are repeatedly sent by the remote node to the router until authentication is acknowledged or the connection is terminated.
PAP is not a strong authentication protocol. Passwords are sent across the link in clear text, which may be fine in environments that use token-type passwords that change with each authentication, but are not secure in most environments. Also, there is no protection from playback or repeated trial-and-error attacks—the remote node is in control of the frequency and timing of the login attempts.
CHAP ( Challenge Handshake Authentication Protocol), which uses a three-way handshake, occurs at the startup of a link and periodically thereafter to verify the identity of the remote node using a three-way handshake. After the PPP link establishment phase is complete, the local router sends a challenge message to the remote node. The remote node responds with a value that is calculated using a one-way hash function (typically, Message Digest 5 [MD5]) based on the password and challenge message. The local router checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged. Otherwise, the connection is terminated immediately.
CHAP provides protection against playback attack through the use of a variable challenge value that is unique and unpredictable. Because the challenge is unique and random, the resulting hash value will also be unique and random. The use of repeated challenges is intended to limit exposure to any single attack. The local router or a third-party authentication server is in control of the frequency and timing of the challenges.