Questions tagged [challenge-response]
37 questions
2
votes
1 answer
Is there a password based challenge response authentication scheme with public key cryptography?
I was thinking about an authentication where
the user only has to know a password
but no salt, everything else the client retrieves from the server
yet a user's password can't be retrieved from the data on the server
nor from the communication,…
yacrc
- 21
- 1
2
votes
1 answer
Access-Challenge EAP Request
From my understanding, after the Access-Request, the authentication server (RADIUS) sends a reply (encapsulated in the Access-Challenge packet) to the authenticator (AP).
The Access-Challenge packet contains an EAP Request in which it is specified…
loopOfNegligence
- 177
- 1
- 11
2
votes
1 answer
Attack Challenge/Response Authentication by requesting challenges
If a client/server application uses a challenge/response pattern for authentication, e.g. SCRAM or alike, it often involves the usage of nonces (client nonce and server nonce) for preventing replay attacks.
The server will generate a server nonce,…
Tobias N. Sasse
- 43
- 6
1
vote
1 answer
Is the Seed-And-Key Challenge-Response used in Automotive Security really secure?
As an Automotive Security Professional, my state of the art approach to implement a Secure Access would be to have an ECU generate a challenge (nonce + ID), forward it to the tester who can pass the challenge to the backend system which signs it…
AdHominem
- 3,006
- 1
- 16
- 26
1
vote
0 answers
Problems understanding the use of Distance Bounding against Man-In-The-Middle attacks
I currently have to write a paper for university in my Network Security lecture about methods of secure location verification. Therefore, I chose to write about several distance bounding protocols, e.g. the one by Brands and Chaum and the Keyed Echo…
Samaranth
- 111
- 2
1
vote
1 answer
How to authenticate a specific client program?
I have a server application which provides functions to a client program. The client is also programmed by me. Now I want to authenticate the client program itself (not any user) before using my service. I want to achieve that my service can only be…
Iniesta8
- 113
- 3
1
vote
2 answers
Using PGP to answer account security questions with PKI
Security questions are well known/widely considered to decrease security or otherwise create more problems (e.g., remembering gibberish), but sometimes I am required to have and answer them anyway. While that has been discussed many times before so…
Hiko Haieto
- 111
- 3
1
vote
1 answer
Authentication providers for applications with no internet connection
I have an interesting use case where users need to authenticate to applications running in environments that might not have internet access or even access to an authentication server. Administrators need to be able to grant and revoke access to…
Raul Santelices
- 111
- 5
1
vote
2 answers
Securing authenticity of mifare cards, protection against cloning
I am designing a workflow for issuing and acquiring of voucher cards for a client and the chosen technology for the cards has been mifare desfire.
I have a lot of experience with credit cards and we want to make the technology as POS friendly as…
bbozo
- 503
- 5
- 18
1
vote
0 answers
Offline request re-transmission prevention
I'm trying to do the following:
I have 2 mobile devices, one acts as a server and the second as a client.
The server device holds a secret key and advertises a challenge. Each request causes the challenge to change.
The client device holds data (an…
Ron Dadon
- 111
- 2
1
vote
0 answers
Should a unique CRA password salt travel the wire?
In an authentication method I am using an auth-framework which runs an implementation of CRA which forwards salt (with key length / iterations), challenge to the client.
With this information the client can use the stored & salted password (which…
Simon Kemper
- 111
- 2
1
vote
1 answer
Challenge-Response Application in E-banking
Why is it important that Alice doesn't know K? What could happen if Alice knew K?
Ricky
- 135
- 3
- 10
0
votes
0 answers
How does Nessus offline registration work?
To use the free trial of Nessus, you need an email address to receive an activation key.
There are two modes to activate a Nessus server:
Online mode registration
If the computer running Nessus server has internet, you can activate the software by…
molik
- 173
- 1
- 6
0
votes
1 answer
Challenge-Response authentication and SSL
I'm currently developing an Android Application that communicates with a server and needs the user to login.
The connection is secured with SSL and certificate pinning.
For user authentication I'm currently using challenge-response.
The server…
0
votes
1 answer
Is this Wikipedia article about SCRAM wrong?
At my Company, we put a honeypot in our network and it raised us the Lansweeper SSH password used to connect to the scanned assets (and it is reusable over many boxes...).
So it is a way for an attacker to get sensitive passwords in a corporate…
Sibwara
- 1,316
- 7
- 19