Previous versions of RAS supported Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) to authenticate remote clients. MS-CHAP v2 provides stronger security and is designed specifically to support Virtual Private Network (VPN) connections, which enable remote clients to establish secure connections to a private network through a public network such as the Internet. MS-CHAP v2 provides several security enhancements:
♦ LAN Manager coding of responses, formerly supported for backward compatibility with older remote access clients, is no longer supported. This provides improved security. MS-CHAP v2 no longer supports LAN Manager encoding of password changes for the same reason.
♦ Mutual authentication, which provides bi-directional authentication between the remote client and the RAS server, is supported. Previously, MS-CHAP only provided one-way authentication and did not provide a mechanism for the remote client to determine whether the remote server actually had access to its authentication password for verification. Version 2 not only enables the server to authenticate the client's request, but also enables the client to verify the server's ability to authenticate its account.
♦ Stronger encryption is provided in MS-CHAP v2. The 40-bit encryption used in previous versions operated on the user's password and resulted in the same cryptographic key being generated for each session. Version 2 uses the remote client's password, along with an arbitrary challenge string, to create a unique cryptographic key for each session, even when the client password remains the same.
♦ Better security for data transmission is provided by using separate cryptographic keys for data sent in each direction.
Was this article helpful?