CHAP Authentication Implementation on Web Login

I. What is CHAP ?

"How secure is your Web System ?" is always the question any potential customers will ask. If we only have password protection for our sites, it is not enough and people may reluctant to use this product.

Here is the "CHAP Login" mechanism which will make our Web Server more secure. The term "more secure" here means harder to intercept the password, and/or harder to break in without the password.

First of all, CHAP is one of the industry recognized authentication protocol, it stands for "Challenge/Handshake Authentication Protocol". The benefits of this protocol are:

1. Password never travel across the Internet, only the generated Digest, or Hash, does.

2. The Server Challenges the Browser with a random number, called Challenge, each time when it presents the Login Screen. The Challenge will be used, together with the password, to generate the Hash/Digest. The will prevent from the so called "Replay Attack", which intercepts a successful login session and break in.

I have implemented it on one of my Web system and test it successfully. It is located at:

http://www.yamabay.com/NTPortal/webMail/inbox/loginy.asp

It takes a Server Site COM Object and the Client Site JavaScript to accomplish this.

II. How to Implement CHAP ?

Now, how do we integrate CHAP and MD5 to make the passwords secure for both Internet Users and the Database Users.

When the users create/assign the password on the password creation/modification screen, at the Javascript/client side, we send back the followings to the Server:

X = MD5(password)

When server receive this MD5(password), it just save it to the password database field, so the database users will not be able to view the clear text password.

When this user logs in, the server sends the Challenge, and he/she types user and and password. The client side Javascript will do:

X = MD5(password)

Y = X + Challenge

Z = MD5(Y)

and send back Z and Challenge to the Server. (This is the standard client side CHAP we discussed last time)

Now, the server will use W= MD5(password) from the database. Then do a

V = W + Challenge

U = MD5(V)

If U and Z are equal, then password is correct. Otherwise not correct.

Please note that:

1. Password never travels across the Internet.

2. Dataset does not store the clear text password.

This concludes the integration of CHAP Login and encrypted password in database.

III. ActiveX/COM for CHAP

To implement CHAP at the server, The MD5 hashing Class and The Challenge Generation Class are needed. You can download the COM object with the sample VB6 code to call these two essential CHAP Classes. The length of the Challenge is 28 bytes.