编辑词条
登录
  • 1.摘要
  • 2.MS-CHAP v1
  • 3.MS-CHAP v2
  • 4.启用 MS-CHAP v2

MS-CHAP

MS-CHAP v1

TheMicrosoftChallengeHandshakeAuthenticationProtocolversion1(MS-CHAPv1)isanencryptedauthenticationmechanismverysimilartoCHAP.AsinCHAP,theremoteaccessserversendsachallengetotheremoteclientthatconsistsofasessionIDandanarbitrarychallengestring.TheremoteclientmustreturntheusernameandaMessageDigest4(MD4)hashofthechallengestring,thesessionID,andtheMD4-hashedpassword.

OnedifferencebetweenCHAPandMS-CHAPv1isthat,inCHAP,theplaintextversionofthepasswordmustbeavailabletovalidatethechallengeresponse.WithMS-CHAPv1,theremoteaccessserveronlyrequirestheMD4hashofthepasswordtovalidatethechallengeresponse.InWindows2000,theuser'spasswordisstoredasanMD4hashandinareversiblyencryptedform.WhenCHAPisused,theremoteaccessserverdecryptsthereversiblyencryptedpasswordtovalidatetheremoteaccessclient'sresponse.

MS-CHAPv1authenticationisanexchangeofthreemessages:

TheremoteaccessserversendsanMS-CHAPChallengemessagecontainingasessionIDandanarbitrarychallengestring.

TheremoteaccessclientreturnsanMS-CHAPResponsemessagecontainingtheusernameincleartextandahashofthechallengestring,sessionID,andtheMD4hashoftheclient'spasswordusingtheMD4one-wayhashingalgorithm.

TheremoteaccessserverduplicatesthehashandcomparesittothehashintheMS-CHAPResponse.Ifthehashesarethesame,theremoteaccessserversendsbackanMS-CHAPSuccessmessage.Ifthehashesaredifferent,anMS-CHAPFailuremessageissent.

TheuseofMS-CHAPv1isnegotiatedduringLCPnegotiationbyspecifyingtheauthenticationprotocolLCPoption(type3),theauthenticationprotocol0xC2-23,andthealgorithm0x80.OnceLCPnegotiationiscomplete,MS-CHAPv1messagesusethePPPprotocolIDof0xC2-23.

MS-CHAPv1alsoallowsforerrorcodesincludinga"passwordexpired"codeandpasswordchanges.MS-CHAPv1protectsagainstreplayattacksbyusinganarbitrarychallengestringperauthenticationattempt.MS-CHAPv1doesnotprovideprotectionagainstremoteserverimpersonation.

IfMS-CHAPv1isusedastheauthenticationprotocolandMPPEisnegotiated,thensharedsecretencryptionkeysaregeneratedbyeachPPPpeer.MS-CHAPv1alsoprovidesasetofmessagesthatallowsausertochangetheirpasswordduringtheuserauthenticationprocess.

MS-CHAP v2

Microsoft质询握手身份验证协议(MS-CHAPv2)是一个通过单向加密密码进行的相互身份验证过程,工作流程如下:

1.身份验证器(远程访问服务器或NPS服务器)向远程访问客户端发送质询,其中包含会话标识符和任意质询字符串。

2.远程访问客户端发送包含下列信息的响应:

●用户名。

●任意对等质询字符串。

●接收的质询字符串、对等质询字符串、会话标识符和用户密码的单向加密。

3.身份验证器检查来自客户端的响应并发送回包含下列信息的响应:

●指示连接尝试是成功还是失败。