Questions tagged [challenge-response]
37 questions
21
votes
3 answers
Challenge/response authentication for garage door opener
I'm building an Arduino based radio garage door opener, and in order to protect it from replay attacks I've came up with this algorithm:
sender initiates communication
receiver sends a random 32 bit number XORed with a secret key
sender reverses…
Denis Denisovici
- 321
- 2
- 5
5
votes
2 answers
Which user authentication measures are used nowadays?
I was reading about Passwords and came across methods used for authenticating client to a server. Since sending password in Plain text to the server isn't the best method for authentication of a user, certain methods were described which provide…
Vasu Deo.S
- 175
- 1
- 7
5
votes
2 answers
Which is more secure Yubikey + Keepass using Challenge/Response or Yubikey + Keepass using OTP?
I use a Windows 10 PC and an Android phone with Keepass.
I would like to add a second factor on top of my master password that works with both Windows 10 and my Android phone.
Between the two support methods of authentication, which one is more…
user1709730
- 63
- 1
- 4
5
votes
3 answers
Given a secure channel, are there any benefits in using SCRAM over a username and password?
Given that a communication over HTTP
uses SSL encryption
uses public key pinning to prevent MiTM attacks
is security in any way elevated by using Salted Challenge Response Authentication Mechanism (SCRAM) over basic access authentication and…
qnoid
- 253
- 1
- 5
5
votes
5 answers
How does SSH client ensure that SSH server bears the private key, which is the pair of the public key in client's "known_hosts" file?
An SSH client obviously authenticates an SSH server in some way. Because when the key of the server changes, the SSH client software gives us a loud warning about the key of the server being changed and this might be a MitM attack.
However, does the…
Utku
- 724
- 1
- 7
- 12
5
votes
1 answer
Do human challenge-response authentication schemes exist?
As far as I know, challenge-response authentication schemes employ a shared secret (or two halves of a key pair) and an irreversible function which combines the secret and a challenge into a response that proves that the client knows the secret, but…
matega
- 369
- 1
- 8
4
votes
2 answers
Protect password/authenticating during transit over (insecure) TCP socket for a game
Background
I am designing a multi-player game with a single server that handles multiple worlds. Each player logs into the server initially before requesting which world to join.
The server has a fixed IP address that is currently the same as the…
Ashley Davies
- 143
- 6
3
votes
2 answers
Why does WebAuthn require a challenge when asking the client to register a new credential?
When registering a new credential as part of WebAuthn, why does the client need to be sent a challenge?
Presumably this is to prevent a replay attack, but wouldn't a replay attack be prevented by TLS already?
johnnyodonnell
- 153
- 5
3
votes
1 answer
ESP8266 Dash Button Security
I have built a dash button using ESP8266 microcontroller. The microcontroller should make a response to a ASP.NET WebApi Rest Service to trigger an action. How can i make this api call secure. The action should only be triggered from this specific…
kuppi
- 31
- 1
3
votes
2 answers
Should passwords and challenge questions & answers be migrated?
I am currently working on the migration of a user Identity and Access Management tool from a legacy platform (product + solution) to a new one (same product but upgraded + updated solution)
My team was challenged with the following…
Hugo Tavares
- 31
- 2
3
votes
1 answer
Is my client challenge authentication secure?
I have an app installed on customers' machines, a server, and a regular website between the two. In order not to have the customers configure anything (user credentials, proxy settings...), the app communicates with the server through the…
thomasb
- 351
- 2
- 8
3
votes
2 answers
Guidelines for password register size in embedded devices
I'm working on an embedded systems project for school in which we need to store a password (or key, whatever). The idea is that this design should eventually be reducible to bare-metal hardware and manufactured on an extremely large scale. For that…
agentroadkill
- 211
- 1
- 5
2
votes
1 answer
How to secure a websocket connection with challenge-response?
TL;DR Given that all of the state information for a web browser is accessible to a (potentially hostile) user, how can challenge-response authentication between the browser and the server be considered secure?
The Longer Version
I'm developing a web…
Kryten
- 349
- 2
- 7
2
votes
1 answer
Security bounds of TLS client authentication (from browsers)
Say that there are two servers that perform TLS. Both servers have valid end-point certificates. In other words, neither of them would raise a warning from the browsers after the connection has been established.
Is there any way that the client…
Maarten Bodewes
- 4,562
- 15
- 29
2
votes
0 answers
How challenge response password recovery mechanism works with disk encryption?
For the sole purpose of learning, I am trying to figure out how disk encryption software is able to recover password of an encrypted disk using a challenge response mechanism.
Th recovery process usually goes like that:
You forgot your password on…
tigrou
- 133
- 3