Talk:Challenge–response authentication

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Fraternities and Sororities[edit]

I think it would be cool if someone with good writing skills wrote a paragraph or sentence somewhere in the article about how many fraternities and sororities have challenges to enter their chapter meetings. — Preceding unsigned comment added by (talk) 03:56, 29 June 2012 (UTC)


I think that the statement: A noonce prevent man-in-the-middle attack should be removed because this is probably not true.

"Challenge-response" or "challenge-reply"[edit]

Hello, can someone clarify whether challenge-response authentication or challenge-reply authentication is the right term? thanks -- 12:02, 28 November 2006 (UTC)

This is the first time I've heard the phrase "challenge-reply authentication". A Google search for the former yields about 118,000 results [1] while challenge-reply yields only 38 [2]. It's a safe bet to say "challenge-response authentication". -- intgr 15:32, 28 November 2006 (UTC)

3 सवाल के जवाब बताओ....... और अगर इन सवालो के जवाब दे दिये तो हम आपको व्हाट्सअप के राजा कहेंगे.. सवाल 1- बाप ने बेटी को 1 गिफ्ट दिया और कहा भूख लगे तो खा लेना.. प्यास लगे तो पी लेना और ठंड लगे तो जला लेना.. ये गिफ्ट क्या है। Challenge for u सवाल 2 - एक चीज ऐसी है जो सुखी हो तो 2 किलो , गीली हो तो 1 किलो और जल जाए तो 3 किलो बताओ,बताओ..... सवाल 3 - वो क्या चीज़ है जो साल में 1 बार, महीने में 2 बार, हफ्ते में 4 बार, और दिन में 6 बार आती है...? उत्तर दो इन सभी सवाल का.. आप के पास समय एक दिन का समय है देखते हैं group में कौन सबसे ज्यादा जीनीयस है

ये तीन सवाल है? अगर आप सही जवाब दे दे , तो उम्मीद है कि आप हर परीक्षा पास कर सकते  है.                          

🔸1 फाँसी का समय सूरज निकलने के पहले क्यो किया जाता है ? किसी और समय में क्यो नही दी जाती है? 🔸2 वो कौन सी चीज है जो आपके पास हो तो विवाह नही हो सकता है और न हो तो अन्तिम संस्कार नही हो सकता है? 🔸3 अगर किसी लड़की की लाश मिले तो कैसे मालूम करोगे कि वह लडकी किस धर्मं की है?

                     रिप्लाई मस्ट ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''                   जिसको  भी फारवर्ड कर सकते है

करीए और जबाब तलाश कीजिए ।

 आपको चैलेंज है  24 घटे के  भीतर आप अपने साथी दोस्तों को  भेजे    
                                           आपका समय अब शुरु हुआ। 
व्हाट्सएप के एक्सस्पर्ट  हो तो उत्तर  दे। Sarwan parjapat (talk) 11:41, 3 September 2016 (UTC)

"Unix passwords"[edit]

This paragraph is wack and the logic is flawed and convoluted. —Preceding unsigned comment added by (talk) 16:04, August 30, 2007 (UTC)

It makes sense to me, but it's not well written indeed; I have added a "confusing" template. -- intgr #%@! 23:56, 30 August 2007 (UTC)

password as challenge/response[edit]

Most security professionals would disagree with:

"The simplest example of a challenge-response protocol is password authentication, where the challenge is asking for the password and the valid response is the correct password."

The key feature of challenge/response is that the responder is forced to give a different answer every time. Passwords are often contrasted with challenge response systems. For references see: RFC 4949, Network Security by kaufman et al or any good book on Information Security.

It is possible to distinguish between cryptographic challenge response systems where a well vetted cryptographic algorithm is performed to compute the output from the input and non-cryptographic systems where some other sort of prearranged scheme is used. See for example the O'Henry Story: Calloway's Code. In the story a reporter transmits the first word in a common phrase and the receivers fill in the rest of the phrase. In the story it is not used for authentication, but it could be. Perhaps a better example would recognition systems used by navies and other military organizations. They simply issue a secret code book containing challenges and their corresponding responses. Hal lockhart 21:38, 24 October 2007 (UTC)

Indeed. Saying that asking for the password makes password-based authentication a simple form of challenge response is ludicrous. You could then say, by the same logic that *any* authentication is challenge-response, as every authenentication method is challenging the user to authenticate him/herself. Gerbennn (talk) 10:19, 7 June 2011 (UTC)
Agreed. I believe the "challenge" has to cause the required response to vary or it's not challenge-response authentication. A fixed "what's the password?" 'challenge' is not enough because it doesn't vary the response. I think the source cited is simply incorrect in its definition of the "challenge" in CRAM - the "challenge" part of CRAM refers to the challenge-response sequence described in CRAM-MD5, rather than the "challenge" being the Authentication Required message. I just went ahead and changed it. Binkyuk (talk) 12:17, 10 August 2012 (UTC)
Then again, I take it back. RFC4949 defines the term as including simple password authentication in response to a request for one. Silly, but there it is. Binkyuk (talk) 12:31, 10 August 2012 (UTC)

Pull-down menus[edit]

Pull-down menus are used at -- Wavelength (talk) 17:54, 14 April 2010 (UTC)

Storage of plaintext-equivalents can be avoided with simple C/R schemes[edit]

From my experience, most people do not realize that there exist simple algorithms (not involving public key crypto) that avoid the need for the server to store plaintext equivalents. This is reflected even in Internet RFCs (such as on APOP, CRAM, CHAP) - the authors probably did not realize! I am not aware of a more appropriate Wikipedia article to have this mentioned in, and my understanding is that publishing the algorithms right in Wikipedia (and only in Wikipedia) would be inappropriate - need to refer to an external source. Similarly, making a statement and not backing it up with algorithms would be inappropriate.

For the reasons above, I had added a link to my external wiki page describing two such algorithms of my own and linking to an external website with a third algorithm invented by another person. Although I am biased when linking to my own stuff, I think it is highly relevant to the article, and is desirable to have in here. However, another editor eventually thought otherwise and removed the link.

I propose that the info/reference/link be re-introduced, maybe along with other edits to the article such that the link does not "stand out" (sort of contradicting what was just said in the paragraph), like it did (which could have contributed to the link appearing "irrelevant" to someone possibly not very familiar with the problem). I'd appreciate any comments, votes for/against (with reasoning), any other suggestions, and actual edits to the article. -- Solardiz (talk) 01:54, 13 January 2011 (UTC)

I just took care of this by referring to Wikipedia article on SCRAM from that paragraph. (That article didn't exist back in 2010-2011.) --Solardiz (talk) 15:37, 29 April 2015 (UTC)

Simple example mutual-authentication sequence[edit]

The proposed mutual authentication scheme doesn't actually provide mutual authentication, since the server's hashB equals the client's hashA, which the client has just sent to the server.

Possibly sr was meant to be defined like so, with the challenges reversed?

  • Server computes sr = hashB(sc + cc + secret)

For some hash functions it would also probably be somewhat safer to use an HMAC.

-- Alberge204 (talk) 06:05, 12 February 2013 (UTC)

"If the intruder somehow obtains a password hash, he or she can use any password that generates the same hash."[edit]

Why would the intruder need the password, if the server only asks him for a hash during challenge-response?

In terms of reusability to impersonate the legitimate client, stealing the hash becomes equivalent to stealing the password. -- (talk) 08:32, 11 April 2013 (UTC)

You are correct. A simple password hash won't suffice in a true challenge–response system. I've rewritten the section in question.--agr (talk) 11:19, 11 April 2013 (UTC)

External links modified[edit]

Hello fellow Wikipedians,

I have just modified one external link on Challenge–response authentication. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

As of February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete the "External links modified" sections if they want, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{sourcecheck}} (last update: 15 July 2018).

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 14:41, 2 August 2017 (UTC)