These two protocols are used in PPP, where each system may require its peer to authenticate itself.
When a connection is established, each end can request the other to authenticate itself, regardless of whether it is the caller or the callee. A PPP daemon can ask its peer for authentication by sending yet another LCP configuration request identifying the desired authentication protocol.
Password Authentication Protocol (PAP) is a simple authentication protocol in which the user name and password is sent to the remote access server in a plaintext (unencrypted) form. Using PAP is strongly discouraged because your passwords are easily readable from the Point-to-Point Protocol (PPP) packets exchanged during the authentication process. PAP is typically used only when connecting to older UNIX-based remote access servers that do not support more secure authentication protocols.
Challenge Handshake Authentication Protocol (CHAP) is a widely supported authentication method in which a representation of the user's password, rather than the password itself, is sent during the authentication process. With CHAP, the remote access server sends a challenge to the remote access client. The remote access client uses a hash algorithm (also known as a hash function) to compute a Message Digest-5 (MD5) hash result based on the challenge and a hash result computed from the user's password. The remote access client sends the MD5 hash result to the remote access server. The remote access server, which also has access to the hash result of the user's password, performs the same calculation using the hash algorithm and compares the result to the one sent by the client. If the results match, the credentials of the remote access client are considered authentic. A hash algorithm provides one-way encryption, which means that calculating the hash result for a data block is easy, but determining the original data block from the hash result is mathematically in-feasible.
