Editing Challenge–response authentication (section)

==Cryptographic techniques==
Non-cryptographic authentication was generally adequate in the days before the [[Internet]], when the user could be sure that the system asking for the password was really the system they were trying to access, and that nobody was likely to be eavesdropping on the [[Channel (communications)|communication channel]]. To address the insecure channel problem, a more sophisticated approach is necessary. Many cryptographic solutions involve ''two-way authentication;'' both the user and the system must verify that they know the [[shared secret]] (the password), without the secret ever being transmitted [[Plaintext|in the clear]] over the communication channel.

One way this is done involves using the password as the '''[[encryption]]''' key to transmit some randomly generated information as the ''challenge'', whereupon the other end must return as its ''response'' a similarly encrypted value which is some predetermined function of the originally offered information, thus proving that it was able to decrypt the challenge. For instance, in [[Kerberos (protocol)|Kerberos]], the challenge is an encrypted integer ''N'', while the response is the encrypted integer ''N + 1'', proving that the other end was able to decrypt the integer ''N''. A hash function can also be applied to a password and a random challenge value to create a response value. Another variation uses a probabilistic model to provide randomized challenges conditioned on model input.<ref>{{cite book |last1=Ahmed |first1=Ibrahim H. |last2=Hanna |first2=Josiah P. |last3=Fosong |first3=Elliot |last4=Albrecht |first4=Stefano V. |title=Advances in Practical Applications of Agents, Multi-Agent Systems, and Social Good. The PAAMS Collection |series=Lecture Notes in Computer Science |date=2021 |volume=12946 |issue=19 |pages=14–26 |doi=10.1007/978-3-030-85739-4|isbn=978-3-030-85738-7 |s2cid=237611496 }}</ref>

Such encrypted or hashed exchanges do not directly reveal the password to an eavesdropper. However, they may supply enough information to allow an eavesdropper to deduce what the password is, using a [[dictionary attack]] or [[brute-force attack]]. The use of information which is randomly generated on each exchange (and where the response is different from the challenge) guards against the possibility of a [[replay attack]], where a malicious intermediary simply records the exchanged data and retransmits it at a later time to fool one end into thinking it has authenticated a new connection attempt from the other.

Authentication protocols usually employ a [[cryptographic nonce]] as the challenge to ensure that every challenge-response sequence is unique. This protects against [[Eavesdropping]] with a subsequent [[replay attack]]. If it is impractical to implement a true nonce, a strong [[cryptographically secure pseudorandom number generator]] and [[cryptographic hash function]] can generate challenges that are highly unlikely to occur more than once. It is sometimes important not to use time-based nonces, as these can weaken servers in different time zones and servers with inaccurate clocks. It can also be important to use time-based nonces and synchronized clocks if the application is vulnerable to a delayed message attack. This attack occurs where an attacker copies a transmission whilst blocking it from reaching the destination, allowing them to replay the captured transmission after a delay of their choosing. This is easily accomplished on wireless channels. The time-based nonce can be used to limit the attacker to resending the message but restricted by an expiry time of perhaps less than one second, likely having no effect upon the application and so mitigating the attack.

[[Mutual authentication]] is performed using a challenge-response handshake in both directions; the server ensures that the client knows the secret, and the client ''also'' ensures that the server knows the secret, which protects against a rogue server impersonating the real server.

Challenge-response authentication can help solve the problem of exchanging session keys for encryption. Using a [[key derivation function]], the challenge value and the secret may be combined to generate an unpredictable encryption key for the session. This is particularly effective against a man-in-the-middle attack, because the attacker will not be able to derive the session key from the challenge without knowing the secret, and therefore will not be able to decrypt the data stream.