Editing Replay attack (section)

=== Challenge-Handshake Authentication Protocol ===
Authentication and sign-on by clients using [[Point-to-Point Protocol]] (PPP) are susceptible to replay attacks when using [[Password Authentication Protocol]] (PAP) to validate their identity, as the authenticating client sends its username and password in "[[Plaintext|normal text]]", and the authenticating server then sends its acknowledgment in response to this; an intercepting client is therefore, free to read transmitted data and impersonate each of the client and server to the other, as well as being able to then store client credentials for later impersonation to the server. [[Challenge-Handshake Authentication Protocol]] (CHAP) secures against this sort of replay attack during the authentication phase by instead using a "challenge" message from the authenticator that the client responds with a hash-computed value based on a [[shared secret]] (e.g. the client's password), which the authenticator compares with its own calculation of the challenge and shared secret to authenticate the client. By relying on a shared secret that has not itself been transmitted, as well as other features such as authenticator-controlled repetition of challenges, and changing identifier and challenge values, CHAP provides limited protection against replay attacks.<ref>{{Cite journal|url=https://tools.ietf.org/html/rfc1994|title=RFC 1994 – PPP Challenge Handshake Authentication Protocol (CHAP)|last=Simpson|first=William Allen|website=tools.ietf.org|year=1996 |doi=10.17487/RFC1994 |language=en|access-date=2018-09-12|url-access=subscription}}</ref>