CHAP applies a three-way handshaking procedure. After the link is established, the server sends a "challenge" message to the originator. The originator responds with a value calculated using a one-way hash function. The server checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise the connection is usually terminated.
CHAP provides protection against playback attack through the use of an incrementally changing identifier and a variable challenge value. The authentication can be repeated any time while the connection is open limiting the time of exposure to any single attack, and the server is in control of the frequency and timing of the challenges. As a result, CHAP provides greater security then PAP.
CHAP is defined in RFC 1334.