Microsoft Challenge Handshake Authentication Protocol v2

Updated: October 21, 2008

Applies To: Windows Server 2008, Windows Server 2008 R2

Version 2 of Microsoft Challenge Handshake Authentication Protocol (MS-CHAP v2) provides stronger security for network access connections than its predecessor, MS-CHAP. MS-CHAP v2 solves some issues of MS-CHAP version 1, as shown in the following table.

 

MS-CHAP version 1 issue MS-CHAP version 2 solution

LAN Manager encoding of the response used for backward compatibility with older Microsoft remote access clients is cryptographically weak.

MS-CHAP v2 no longer allows LAN Manager encoded responses.

LAN Manager encoding of password changes is cryptographically weak.

MS-CHAP v2 no longer allows LAN Manager encoded password changes.

Only one-way authentication is possible. The remote access client cannot verify that it is dialing in to its organization's remote access server or a masquerading remote access server.

MS-CHAP v2 provides two-way authentication, also known as mutual authentication. The remote access client receives verification that the remote access server that it is dialing in to has access to the user password.

With 40-bit encryption, the cryptographic key is based on the user password. Each time the user connects with the same password, the same cryptographic key is generated.

With MS-CHAP v2, the cryptographic key is always based on the user password and an arbitrary challenge string. Each time the user connects with the same password, a different cryptographic key is used.

A single cryptographic key is used for data sent in both directions on the connection.

With MS-CHAP v2, separate cryptographic keys are generated for transmitted and received data.

MS-CHAP v2 is a one-way encrypted password, mutual authentication process that works as follows:

  1. The authenticator — the network access server (NAS) or the server running Network Policy Server (NPS) — sends a challenge to the access client that consists of a session identifier and an arbitrary challenge string.

  2. The access client sends a response that contains:

    • The user name.

    • An arbitrary peer challenge string.

    • A one-way encryption of the received challenge string, the peer challenge string, the session identifier, and the user password.

  3. The authenticator checks the response from the client and sends back a response containing:

    • An indication of the success or failure of the connection attempt.

    • An authenticated response based on the sent challenge string, the peer challenge string, the encrypted response of the client, and the user password.

  4. The access client verifies the authentication response and, if correct, uses the connection. If the authentication response is not correct, the access client terminates the connection.

To enable MS-CHAP v2–based authentication, you must do the following:

  1. Enable MS-CHAP v2 as an authentication protocol on the network access server.

  2. Enable MS-CHAP v2 on the appropriate network policy.

  3. Enable MS-CHAP v2 on the access client.

Following are additional things to consider before deploying MS-CHAP v2:

  • MS-CHAP (version 1 and version 2) is the only password-based authentication protocol provided in NPS that supports password change during the authentication process.

    noteNote
    Password change scenarios are supported only when NPS is able to communicate directly with a writable domain controller in your network for the password change transactions. Password change scenarios are not supported if NPS is configured to communicate with a Read-only domain controller (RODC) in your network.

  • Make sure your network access server supports MS-CHAP v2 before you enable it on a network policy on an NPS server. For more information, see your NAS documentation.

Community Additions

ADD
Show: