What is Challenge Response Authentication Mechanism?
Challenge Response Authentication Mechanism is also called CRAM. It refers to a set of protocols that helps validate actions to protect digital assets and services from unauthorized access. This protocol usually has two components – a question and a response – where a verifier presents a challenge to a user, who must provide a correct answer for authentication. Challenge-response protocols can be as simple as a password or a dynamically generated request.
A challenge response authentication mechanism provides businesses with an easy-to-use tool that they can use to control access to sensitive information and identify bad actors.
Types of challenge-response mechanisms
Challenge-response authentication is not a new approach. It has been in use since the early 20th century, when the US military used a paper cryptographic system called DRYAD to authenticate radio users. In this system, users at both ends would read out numbers corresponding to a combination of letters to verify their identities.
In the digital realm, there are two main types of challenges as described below:
Static: True to their name, static challenges are protocols where responses do not change over time. These challenges allow users to select a challenge for authentication purposes. The case of ‘forgot password’ is an example of a static challenge. Here, when a user forgets the password, he can reset the password by answering a security question that he saved while setting up the account. The answers to these questions remain static, that is, they do not change over a period of time.
Dynamic: In this approach, users must respond to a challenge presented dynamically. These dynamic challenges are based on the premise that if the user is real, he will have a valid answer to the challenge. Therefore, the answers may be different for every challenge. For instance, a one-time password (OTP) or randomly generated token that the user must input to complete the authentication process.
Examples of challenge-response authentication systems
Challenge-response authentication is a method that businesses use to stop bad actors – as well as bots and scripts – from accessing crown-jewel business assets. Commonly used challenge response authentication mechanisms are:
- CAPTCHA: An automated method to distinguish between humans and bots, CAPTCHA is designed to prevent bots from disseminating spam, registering fake new accounts and hacking into genuine user accounts.
- Password: A server validates the password provided by the user with the correct password.
- Biometrics: To authenticate themselves users must provide their biometric details (such as iris or fingerprint scans) that are matched with those saved in the authentication system.
- Salted Challenge Response Authentication Mechanism (SCRAM): A hashed challenge is used such that the password can be used only once. The server validates the user-provided hash by matching with the saved hash, protecting the password from exposure through replay or man-in-the-middle attacks.
- SSH (Secure SHell): This is a cryptographic network protocol that facilitates secure operation of network services securely over an unsecured network. It authenticates communication sessions between servers using a public key infrastructure (PKI).
- Password proof system: This is a cryptographic method that helps verify passwords between two users without sharing their passwords mutually.
- Challenge-Handshake Authentication Protocol: CHAP is a three-way handshake where hash values are generated and verified between the authenticating system, challenge message, and the local system. If these hash values match, further action is allowed else the session is terminated.
- OATH Challenge-Response Algorithm: Developed by the Initiative for Open Authentication, OCRA is a cryptographically strong challenge-response authentication protocol.
- YubiKey: This method uses HMAC-SHA1 and Yubico OTP for authentication. In HMAC-SHA1, a string acts as a challenge and hashes the string with a stored secret, whereas Yubico OTP creates a Yubico OTP code encrypted using a stored AES key.
- MD5: In this mechanism, the RADIUS server directs a challenge to the client, which creates an MD5 hash of the challenge and the password that the user enters. These are then sent back to the server which uses the correct plaintext password from the database to validate the MD5 hash.
Uses of challenge-response authentication
Challenge-response authentication is mainly used in the following three areas.
- To verify passwords: When a user enters a password to log into a digital account, the password is matched with that saved on the server. In case the two passwords match, the user is successfully authenticated and allowed to continue with the onward digital journey. In case of a mismatch, appropriate countermeasures are used.
To distinguish between bots and humans: Bot attacks can disrupt business operations and degrade user experience. For instance, scalper bots can shop items in bulk during an online sale event, denying genuine consumers a fair chance to score a deal. Bad actors deploy bots and use stolen consumer details to complete unauthorized transactions at scale. Many businesses use challenge-response authentication for human verification to stop bots by affording consumers an opportunity to prove they are not bots. One of the common examples of human verification challenge-response authentication is CAPTCHA.
To train machine learning programs: Challenge-response authentication trains machine learning and artificial intelligence programs to solve complex programs. For instance, they are made to solve human verification puzzles and the outcome is matched with that of a human user. The programs learn from the feedback which improves their decision-making over time.
Limitations of challenge-response authentication
Although commonly used challenge-response authentication methods are useful in authenticating consumers, they have their own limitations. One of the most pressing problems is with passwords. Often, consumers reuse and recycle their passwords across multiple digital accounts. One successful account takeover attack can result in compromising multiple accounts. The server cannot ascertain whether the person providing the password is a genuine user or an impostor using stolen consumer details. If the impostor provides the correct password, the system will allow access to the system.
The latest CRAMs such as SCRAM use cryptography to match the hashes such that passwords are not exposed.