The challenge-response procedure is a secure authentication procedure of a participant based on knowledge. Here, one participant sets a task (challenge) that the other has to solve (response) in order to prove that he knows a certain piece of information (common secret) without transmitting this information himself. This is a protection against the password being eavesdropped on by attackers on the line.
There are different methods for this, which are based on this basic principle: If one page (usually named Alice in cryptography) wants to authenticate itself to another page (usually called Bob), Bob sends a random number N (nonce) to Alice (so Bob provides the challenge). Alice adds her password to this number N, applies a cryptologic hash function or encryption to this combination, and sends the result to Bob (and thus provides the response). Bob, who knows both the random number and the shared secret (= Alice’s password) and the hash function or encryption used, performs the same calculation and compares his result with the response he receives from Alice. If both data are identical, Alice has successfully authenticated herself.
However, an attacker listening in on the line has the option of launching a so-called known plaintext attack. To do this, it records the transmitted random number (challenge) as well as the corresponding response and tries to infer the password used using cryptoanalytical methods.
---
Example
Such attacks have led to success in GSM systems, for example.
Protection
Another way to prevent this attack is to include a short-term timestamp in the challenge, so that the validity period of the response expires before the attacker can guess the password. In order to make a replay attack of an intercepted response unsuccessful, it must also be ensured that the random number in the challenge changes with each connection or session and that it is not worthwhile for the attacker to collect the response responses in the long term; this is achieved by expiring the timestamps.
Dictionary attack
Another possibility is the dictionary attack. Here, the attacker guesses the password, uses it to encrypt the random number and compares his result with the response.
Example
In this way, version 4 of the Kerberos protocol could be successfully attacked.
Protection
For example, the encrypted transmission of the random number from Bob to Alice provides a remedy.
Cons of Challenge-Response Authentication
It must be ensured that the password hash that is located on the server side can be generated on the client side. Otherwise, the password would have to be stored in plain text on the server side. For hashing algorithms with salt, the client must have it to generate the hash on the client side.
Another disadvantage is that the secret must also be in plain text on the client side (Alice) so that the client can impersonate an authorized user. This can be remedied by calculating the response on a chip card, but then you have the problem that you have to make sure that no unauthorized person uses Alice’s chip card.
Challenge-response authentication can be found in the APOP authentication method of the POP3 protocol, in CHAP authentication for PPP network connections (e.g., ADSL or modem Internet connections), or in the CRAM-MD5 method.
Apple’s version of VNC’s screen-sharing protocol also uses a challenge-response process to log in.
