Talk:Challenge–response authentication

Excessive use of "Quotation Marks"
This page has an unusual style that is quite distracting to read, in which half the words are quoted despite not being terms of art. I will go through and clean it up over time if no one objects. Amrsaadiq (talk) 20:21, 3 June 2022 (UTC)

Fraternities and Sororities
I think it would be cool if someone with good writing skills wrote a paragraph or sentence somewhere in the article about how many fraternities and sororities have challenges to enter their chapter meetings. — Preceding unsigned comment added by 68.97.82.7 (talk) 03:56, 29 June 2012 (UTC)


 * That is actually called a Countersign_(military). But is often referred to as a challenge response. I'll add a link because I am sure others land here looking for the Countersign. Halcyonforever (talk) 16:22, 18 September 2023 (UTC)

Comment
I think that the statement: A noonce prevent man-in-the-middle attack should be removed because this is probably not true.

"Challenge-response" or "challenge-reply"
Hello, can someone clarify whether challenge-response authentication or challenge-reply authentication is the right term? thanks --195.145.211.194 12:02, 28 November 2006 (UTC)


 * This is the first time I've heard the phrase "challenge-reply authentication". A Google search for the former yields about 118,000 results while challenge-reply yields only 38 . It's a safe bet to say "challenge-response authentication". -- intgr 15:32, 28 November 2006 (UTC)

3 सवाल के जवाब बताओ....... और अगर इन सवालो के जवाब दे दिये तो हम आपको व्हाट्सअप के राजा कहेंगे.. सवाल 1- बाप ने बेटी को 1 गिफ्ट दिया और कहा भूख लगे तो खा लेना.. प्यास लगे तो पी लेना और ठंड लगे तो जला लेना.. ये गिफ्ट क्या है। Challenge for u सवाल 2 - एक चीज ऐसी है जो सुखी हो तो 2 किलो, गीली हो तो 1 किलो और जल जाए तो 3 किलो बताओ,बताओ..... सवाल 3 - वो क्या चीज़ है जो साल में 1 बार, महीने में 2 बार, हफ्ते में 4 बार, और दिन में 6 बार आती है...? उत्तर दो इन सभी सवाल का.. आप के पास समय एक दिन का समय है देखते हैं group में कौन सबसे ज्यादा जीनीयस है

ये तीन सवाल है? अगर आप सही जवाब दे दे, तो उम्मीद है कि आप हर परीक्षा पास कर सकते है. 🔸1 फाँसी का समय सूरज निकलने के पहले क्यो किया जाता है ? किसी और समय में क्यो नही दी जाती है? 🔸2 वो कौन सी चीज है जो  आपके पास हो तो विवाह नही हो सकता है और न हो तो अन्तिम संस्कार नही हो सकता है? 🔸3 अगर किसी लड़की की लाश मिले तो कैसे  मालूम  करोगे कि वह  लडकी किस धर्मं की है?

रिप्लाई मस्ट '                  जिसको  भी फारवर्ड कर सकते है करीए और जबाब तलाश  कीजिए ।

आपको चैलेंज है 24 घटे के  भीतर आप अपने साथी दोस्तों को  भेजे आपका समय अब शुरु हुआ। व्हाट्सएप के एक्सस्पर्ट हो तो उत्तर  दे। Sarwan parjapat (talk) 11:41, 3 September 2016 (UTC)

"Unix passwords"
This paragraph is wack and the logic is flawed and convoluted. —Preceding unsigned comment added by 212.146.94.66 (talk) 16:04, August 30, 2007 (UTC)


 * It makes sense to me, but it's not well written indeed; I have added a "confusing" template. -- intgr #%@! 23:56, 30 August 2007 (UTC)

password as challenge/response
Most security professionals would disagree with:

"The simplest example of a challenge-response protocol is password authentication, where the challenge is asking for the password and the valid response is the correct password."

The key feature of challenge/response is that the responder is forced to give a different answer every time. Passwords are often contrasted with challenge response systems. For references see: RFC 4949, Network Security by kaufman et al or any good book on Information Security.

It is possible to distinguish between cryptographic challenge response systems where a well vetted cryptographic algorithm is performed to compute the output from the input and non-cryptographic systems where some other sort of prearranged scheme is used. See for example the O'Henry Story: Calloway's Code. In the story a reporter transmits the first word in a common phrase and the receivers fill in the rest of the phrase. In the story it is not used for authentication, but it could be. Perhaps a better example would recognition systems used by navies and other military organizations. They simply issue a secret code book containing challenges and their corresponding responses. Hal lockhart 21:38, 24 October 2007 (UTC)
 * Indeed. Saying that asking for the password makes password-based authentication a simple form of challenge response is ludicrous. You could then say, by the same logic that *any* authentication is challenge-response, as every authenentication method is challenging the user to authenticate him/herself. Gerbennn (talk) 10:19, 7 June 2011 (UTC)
 * Agreed. I believe the "challenge" has to cause the required response to vary or it's not challenge-response authentication. A fixed "what's the password?" 'challenge' is not enough because it doesn't vary the response. I think the source cited is simply incorrect in its definition of the "challenge" in CRAM - the "challenge" part of CRAM refers to the challenge-response sequence described in CRAM-MD5, rather than the "challenge" being the Authentication Required message. I just went ahead and changed it. Binkyuk (talk) 12:17, 10 August 2012 (UTC)
 * Then again, I take it back. RFC4949 defines the term as including simple password authentication in response to a request for one. Silly, but there it is. Binkyuk (talk) 12:31, 10 August 2012 (UTC)

Pull-down menus
Pull-down menus are used at http://languagetesting.info/mail/email.php. -- Wavelength (talk) 17:54, 14 April 2010 (UTC)

Storage of plaintext-equivalents can be avoided with simple C/R schemes
From my experience, most people do not realize that there exist simple algorithms (not involving public key crypto) that avoid the need for the server to store plaintext equivalents. This is reflected even in Internet RFCs (such as on APOP, CRAM, CHAP) - the authors probably did not realize! I am not aware of a more appropriate Wikipedia article to have this mentioned in, and my understanding is that publishing the algorithms right in Wikipedia (and only in Wikipedia) would be inappropriate - need to refer to an external source. Similarly, making a statement and not backing it up with algorithms would be inappropriate.

For the reasons above, I had added a link to my external wiki page describing two such algorithms of my own and linking to an external website with a third algorithm invented by another person. Although I am biased when linking to my own stuff, I think it is highly relevant to the article, and is desirable to have in here. However, another editor eventually thought otherwise and removed the link.

I propose that the info/reference/link be re-introduced, maybe along with other edits to the article such that the link does not "stand out" (sort of contradicting what was just said in the paragraph), like it did (which could have contributed to the link appearing "irrelevant" to someone possibly not very familiar with the problem). I'd appreciate any comments, votes for/against (with reasoning), any other suggestions, and actual edits to the article. -- Solardiz (talk) 01:54, 13 January 2011 (UTC)

I just took care of this by referring to Wikipedia article on SCRAM from that paragraph. (That article didn't exist back in 2010-2011.) --Solardiz (talk) 15:37, 29 April 2015 (UTC)

As far as what I understand, SCRAM cannot address the problem of "plaintext equivalent storage". If the server store the hash, then pass-the-hash is possible (like described in the SCRAM wikipedia article). If the server store a hash of the hash (like in the article of Solardiz) then what is sent by the client is the secret and it is not a challenge response scheme anymore. Let's follow my question about it here: https://security.stackexchange.com/questions/239225/is-wikipedia-article-about-challenge-response-wrong --Sibwara 2020-10-06 I was wrong, SCRAM actually permits to address the two problems. --Sibwara 2020-10-06

Simple example mutual-authentication sequence
The proposed mutual authentication scheme doesn't actually provide mutual authentication, since the server's hashB equals the client's hashA, which the client has just sent to the server.

Possibly sr was meant to be defined like so, with the challenges reversed?
 * Server computes sr = hashB(sc + cc + secret)

For some hash functions it would also probably be somewhat safer to use an HMAC.

-- Alberge204 (talk) 06:05, 12 February 2013 (UTC)

"If the intruder somehow obtains a password hash, he or she can use any password that generates the same hash."
Why would the intruder need the password, if the server only asks him for a hash during challenge-response?

In terms of reusability to impersonate the legitimate client, stealing the hash becomes equivalent to stealing the password. --217.140.96.21 (talk) 08:32, 11 April 2013 (UTC)


 * You are correct. A simple password hash won't suffice in a true challenge–response system. I've rewritten the section in question.--agr (talk) 11:19, 11 April 2013 (UTC)

External links modified
Hello fellow Wikipedians,

I have just modified one external link on Challenge–response authentication. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
 * Added archive https://web.archive.org/web/20041014002830/http://www.cag.lcs.mit.edu/~rugina/ssh-procedures/ to http://www.cag.lcs.mit.edu/~rugina/ssh-procedures/

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

Cheers.— InternetArchiveBot  (Report bug) 14:41, 2 August 2017 (UTC)