This post explains the concept of challenge-response authentication.
Concept of Challenge-Response Authentication
In computer security, challenge–response authentication is a family of protocols in which one party presents a question (“challenge”) and another party must provide a valid answer (“response”) to be authenticated.
The simplest example of a challenge–response protocol is password authentication, where the challenge is asking for the password and the valid response is the correct password.
Clearly an adversary who can eavesdrop on a password authentication can then authenticate itself in the same way. One solution is to issue multiple passwords, each of them marked with an identifier. The verifier can ask for any of the passwords, and the prover must have that correct password for that identifier. Assuming that the passwords are chosen independently, an adversary who intercepts one challenge–response message pair has no clues to help with a different challenge at a different time.
For example, when other communications security methods are unavailable, the U.S. military uses the AKAC-1553 TRIAD numeral cipher to authenticate and encrypt some communications. TRIAD includes a list of three-letter challenge codes, which the verifier is supposed to choose randomly from, and random three-letter responses to them. For added security, each set of codes is only valid for a particular time period which is ordinarily 24 hours.
A more interesting challenge–response technique works as follows. Say, Bob is controlling access to some resource. Alice comes along seeking entry. Bob issues a challenge, perhaps “52w72y”. Alice must respond with the one string of characters which “fits” the challenge Bob issued. The “fit” is determined by an algorithm “known” to Bob and Alice. (The correct response might be as simple as “63x83z” (each character of response one more than that of challenge), but in the real world, the “rules” would be much more complex.) Bob issues a different challenge each time, and thus knowing a previous correct response (even if it is not “hidden” by the means of communication used between Alice and Bob) is of no use.
Challenge-response authentication method prevent authentication replay when sending a different random challenge in each authentication event. The response is linked to that challenge.
Overview of how Challenge-Reponse Authentication Works
Overview of how challenge-response authentication works:
- Challenge Generation: The verifier generates a random challenge, typically a string of characters or a cryptographic nonce.
- Challenge Presentation: The verifier sends the challenge to the prover.
- Response Calculation: The prover uses a predetermined algorithm or key to calculate a response based on the challenge.
- Response Submission: The prover sends the calculated response back to the verifier.
- Verification: The verifier uses the same algorithm or key to independently calculate the expected response based on the challenge it generated. If the calculated response matches the one received from the prover, authentication is successful.
Types of Challenge-Response Authentication
Types of Challenge-Response Authentication:
- Password-based Challenge-Response: The challenge may be a nonce, and the response is calculated using a cryptographic function that involves the user’s password.
- Time-based Challenge-Response: The challenge may include a timestamp, and the response is calculated based on a secret key and the current time.
- Biometric Challenge-Response: The challenge could involve a unique biometric measurement, and the response is generated based on the user’s biometric data.
- Hardware Token Challenge-Response: The challenge is typically generated by a hardware token, and the response is generated by the token based on a secret key.
You might also be interested in…
External References
- Melanie Saintonge, Sunil Bakshi and Harisaiprasad K; “Challenge-response based authentication“; ISACA Engage Forum, 2020