Talk:Challenge–response authentication

This article is within the scope of WikiProject Computer science, a collaborative effort to improve the coverage of Computer science related articles on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.Computer scienceWikipedia:WikiProject Computer scienceTemplate:WikiProject Computer scienceComputer science articles

Low

This article has been rated as Low-importance on the project's importance scale.

Things you can help WikiProject Computer science with:

Here are some tasks awaiting attention:

Article requests :
- Requested articles/Applied arts and sciences/Computer science, computing, and Internet
Cleanup :
- Computer science articles needing attention
- Computer science articles needing expert attention
Copyedit :
- Computing
Expand :
- Computer science
Infobox :
- Computer science articles without infoboxes
Maintain :
- Timeline of computing 2020–present
Photo :
- Find pictures for the biographies of computer scientists (see List of computer scientists)
- Computing articles needing images
Stubs :
- Computer science stubs
Unreferenced :
- WikiProject Computer science/Unreferenced BLPs
Project-related :
- Tag all relevant articles in Category:Computer science and sub-categories with {{WikiProject Computer science}}

Computing Low‑importance

This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.ComputingWikipedia:WikiProject ComputingTemplate:WikiProject ComputingComputing articles

Low

This article has been rated as Low-importance on the project's importance scale.

This article is supported by WikiProject Computer Security (assessed as Mid-importance).

Things you can help WikiProject Computer Security with:

Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information...

Answer question about Same-origin_policy
Review importance and quality of existing articles
Identify categories related to Computer Security
Tag related articles
Identify articles for creation (see also: Article requests)
Identify articles for improvement
Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc.
Find editors who have shown interest in this subject and ask them to take a look here.

Cryptography: Computer science Mid‑importance

	This article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.CryptographyWikipedia:WikiProject CryptographyTemplate:WikiProject CryptographyCryptography articles
Mid	This article has been rated as Mid-importance on the importance scale.
	This article is supported by WikiProject Computer science (assessed as Mid-importance).

Excessive use of "Quotation Marks"[edit]

This page has an unusual style that is quite distracting to read, in which half the words are quoted despite not being terms of art. I will go through and clean it up over time if no one objects. Amrsaadiq (talk) 20:21, 3 June 2022 (UTC)[reply]

Fraternities and Sororities[edit]

I think it would be cool if someone with good writing skills wrote a paragraph or sentence somewhere in the article about how many fraternities and sororities have challenges to enter their chapter meetings. — Preceding unsigned comment added by 68.97.82.7 (talk) 03:56, 29 June 2012 (UTC)[reply]

That is actually called a Countersign_(military). But is often referred to as a challenge response. I'll add a link because I am sure others land here looking for the Countersign. Halcyonforever (talk) 16:22, 18 September 2023 (UTC)[reply]

Comment[edit]

I think that the statement: A noonce prevent man-in-the-middle attack should be removed because this is probably not true.

"Challenge-response" or "challenge-reply"[edit]

Hello, can someone clarify whether challenge-response authentication or challenge-reply authentication is the right term? thanks --195.145.211.194 12:02, 28 November 2006 (UTC)[reply]

This is the first time I've heard the phrase "challenge-reply authentication". A Google search for the former yields about 118,000 results [1] while challenge-reply yields only 38 [2]. It's a safe bet to say "challenge-response authentication". -- intgr 15:32, 28 November 2006 (UTC)[reply]

3 सवाल के जवाब बताओ....... और अगर इन सवालो के जवाब दे दिये तो हम आपको व्हाट्सअप के राजा कहेंगे.. सवाल 1- बाप ने बेटी को 1 गिफ्ट दिया और कहा भूख लगे तो खा लेना.. प्यास लगे तो पी लेना और ठंड लगे तो जला लेना.. ये गिफ्ट क्या है। Challenge for u सवाल 2 - एक चीज ऐसी है जो सुखी हो तो 2 किलो , गीली हो तो 1 किलो और जल जाए तो 3 किलो बताओ,बताओ..... सवाल 3 - वो क्या चीज़ है जो साल में 1 बार, महीने में 2 बार, हफ्ते में 4 बार, और दिन में 6 बार आती है...? उत्तर दो इन सभी सवाल का.. आप के पास समय एक दिन का समय है देखते हैं group में कौन सबसे ज्यादा जीनीयस है

ये तीन सवाल है? अगर आप सही जवाब दे दे , तो उम्मीद है कि आप हर परीक्षा पास कर सकते  है.

🔸1 फाँसी का समय सूरज निकलने के पहले क्यो किया जाता है ? किसी और समय में क्यो नही दी जाती है? 🔸2 वो कौन सी चीज है जो आपके पास हो तो विवाह नही हो सकता है और न हो तो अन्तिम संस्कार नही हो सकता है? 🔸3 अगर किसी लड़की की लाश मिले तो कैसे मालूम करोगे कि वह लडकी किस धर्मं की है?

                     रिप्लाई मस्ट ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''                   जिसको  भी फारवर्ड कर सकते है

करीए और जबाब तलाश कीजिए ।

 आपको चैलेंज है  24 घटे के  भीतर आप अपने साथी दोस्तों को  भेजे    
                                           आपका समय अब शुरु हुआ। 
  
व्हाट्सएप के एक्सस्पर्ट  हो तो उत्तर  दे। Sarwan parjapat (talk) 11:41, 3 September 2016 (UTC)[reply]

"Unix passwords"[edit]

This paragraph is wack and the logic is flawed and convoluted. —Preceding unsigned comment added by 212.146.94.66 (talk) 16:04, August 30, 2007 (UTC)

It makes sense to me, but it's not well written indeed; I have added a "confusing" template. -- intgr ^#%@! 23:56, 30 August 2007 (UTC)[reply]

password as challenge/response[edit]

Most security professionals would disagree with:

"The simplest example of a challenge-response protocol is password authentication, where the challenge is asking for the password and the valid response is the correct password."

The key feature of challenge/response is that the responder is forced to give a different answer every time. Passwords are often contrasted with challenge response systems. For references see: RFC 4949, Network Security by kaufman et al or any good book on Information Security.

It is possible to distinguish between cryptographic challenge response systems where a well vetted cryptographic algorithm is performed to compute the output from the input and non-cryptographic systems where some other sort of prearranged scheme is used. See for example the O'Henry Story: Calloway's Code. In the story a reporter transmits the first word in a common phrase and the receivers fill in the rest of the phrase. In the story it is not used for authentication, but it could be. Perhaps a better example would recognition systems used by navies and other military organizations. They simply issue a secret code book containing challenges and their corresponding responses. Hal lockhart 21:38, 24 October 2007 (UTC)[reply]

Indeed. Saying that asking for the password makes password-based authentication a simple form of challenge response is ludicrous. You could then say, by the same logic that *any* authentication is challenge-response, as every authenentication method is challenging the user to authenticate him/herself. Gerbennn (talk) 10:19, 7 June 2011 (UTC)[reply]

Agreed. I believe the "challenge" has to cause the required response to vary or it's not challenge-response authentication. A fixed "what's the password?" 'challenge' is not enough because it doesn't vary the response. I think the source cited is simply incorrect in its definition of the "challenge" in CRAM - the "challenge" part of CRAM refers to the challenge-response sequence described in CRAM-MD5, rather than the "challenge" being the Authentication Required message. I just went ahead and changed it. Binkyuk (talk) 12:17, 10 August 2012 (UTC)[reply]

Then again, I take it back. RFC4949 defines the term as including simple password authentication in response to a request for one. Silly, but there it is. Binkyuk (talk) 12:31, 10 August 2012 (UTC)[reply]

Pull-down menus[edit]

Pull-down menus are used at http://languagetesting.info/mail/email.php. -- Wavelength (talk) 17:54, 14 April 2010 (UTC)[reply]

Storage of plaintext-equivalents can be avoided with simple C/R schemes[edit]

From my experience, most people do not realize that there exist simple algorithms (not involving public key crypto) that avoid the need for the server to store plaintext equivalents. This is reflected even in Internet RFCs (such as on APOP, CRAM, CHAP) - the authors probably did not realize! I am not aware of a more appropriate Wikipedia article to have this mentioned in, and my understanding is that publishing the algorithms right in Wikipedia (and only in Wikipedia) would be inappropriate - need to refer to an external source. Similarly, making a statement and not backing it up with algorithms would be inappropriate.

For the reasons above, I had added a link to my external wiki page describing two such algorithms of my own and linking to an external website with a third algorithm invented by another person. Although I am biased when linking to my own stuff, I think it is highly relevant to the article, and is desirable to have in here. However, another editor eventually thought otherwise and removed the link.

I propose that the info/reference/link be re-introduced, maybe along with other edits to the article such that the link does not "stand out" (sort of contradicting what was just said in the paragraph), like it did (which could have contributed to the link appearing "irrelevant" to someone possibly not very familiar with the problem). I'd appreciate any comments, votes for/against (with reasoning), any other suggestions, and actual edits to the article. -- Solardiz (talk) 01:54, 13 January 2011 (UTC)[reply]

I just took care of this by referring to Wikipedia article on SCRAM from that paragraph. (That article didn't exist back in 2010-2011.) --Solardiz (talk) 15:37, 29 April 2015 (UTC)[reply]

As far as what I understand, SCRAM cannot address the problem of "plaintext equivalent storage". If the server store the hash, then pass-the-hash is possible (like described in the SCRAM wikipedia article). If the server store a hash of the hash (like in the article of Solardiz) then what is sent by the client is the secret and it is not a challenge response scheme anymore. Let's follow my question about it here: https://security.stackexchange.com/questions/239225/is-wikipedia-article-about-challenge-response-wrong --Sibwara 2020-10-06 I was wrong, SCRAM actually permits to address the two problems. --Sibwara 2020-10-06

Simple example mutual-authentication sequence[edit]

The proposed mutual authentication scheme doesn't actually provide mutual authentication, since the server's hashB equals the client's hashA, which the client has just sent to the server.

Possibly sr was meant to be defined like so, with the challenges reversed?

Server computes sr = hashB(sc + cc + secret)

For some hash functions it would also probably be somewhat safer to use an HMAC.

-- Alberge204 (talk) 06:05, 12 February 2013 (UTC)[reply]

"If the intruder somehow obtains a password hash, he or she can use any password that generates the same hash."[edit]

Why would the intruder need the password, if the server only asks him for a hash during challenge-response?

In terms of reusability to impersonate the legitimate client, stealing the hash becomes equivalent to stealing the password. --217.140.96.21 (talk) 08:32, 11 April 2013 (UTC)[reply]

You are correct. A simple password hash won't suffice in a true challenge–response system. I've rewritten the section in question.--agr (talk) 11:19, 11 April 2013 (UTC)[reply]

External links modified[edit]

Hello fellow Wikipedians,

I have just modified one external link on Challenge–response authentication. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

Added archive https://web.archive.org/web/20041014002830/http://www.cag.lcs.mit.edu/~rugina/ssh-procedures/ to http://www.cag.lcs.mit.edu/~rugina/ssh-procedures/

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 14:41, 2 August 2017 (UTC)[reply]