Which two statements about using the CHAP authentication mechanism in a PPP link are true?
(Choose two.)
A.
CHAP uses a two-way handshake.
B.
CHAP uses a three-way handshake.
C.
CHAP authentication periodically occurs after link establishment.
D.
CHAP authentication passwords are sent in plaintext.
E.
CHAP authentication is performed only upon link establishment.
F.
CHAP has no protection from playback attacks.
Explanation:
http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml
CHAP is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. CHAP periodically verifies the identity of the client by using a three-way handshake. This happens at the time of establishing the initial link (LCP), and may happen again at any time afterwards. The verification is based on a shared secret (such as the client user’s password).[2]
After the completion of the link establishment phase, the authenticator sends a “challenge” message to the peer.
The peer responds with a value calculated using a one-way hash function on the challenge and the secret combined.
The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authenticator acknowledges the authentication; otherwise it should terminate the connection.
At random intervals the authenticator sends a new challenge to the peer and repeats steps 1 through 3.