Jump to content
Welcome, welcome! Come in and register, and have some developer coffee. 👨‍💻 ×

Challenge and respond login mechanism

Recommended Posts

I always have the idea that passwords is really bad to use as a login mechanism, so I smash my head into wall, asking forums and finally came up with this kind of login mechanism(don't worry it's not new, and it has better overall security compare to passwords).

To understand about the challenge and respond login mechanism, we need to first know what exactly is asymmetric encryption and RNG(random number generator). I will leave people to explain or explore a little bit of what asymmetric encryption is. In asymmetric encryption we have 2 mathematically linked components which are public and private, in normal asymmetric encryption, we use public component to encrypt and private component to decrypt. To use respond and challenge based login mechanism, we have to use something called cryptographic digital signatures, digital signatures is actually asymmetric encryption but the roles of the public and private component are switched, we are now using private to encrypt and public to decrypt. 

If server use cryptographic secure RNG(the strength of the random generated nonsense[bytes]/data is greater than normal RNG) rather than normal RNG, this itself is a unique data that can be public(it's not used in encryption), we then need to send the random generated nonsense data to the user. The user when they sign up, they required to let the server knows their public part of the digital signature. When the user receives the nonsense data, they need to sign(encrypt) the data with their private component then sends the data to the server. The server will then try to verify(decrypt) with the corresponding user public part of digital signature.  If the server successfully verify the received signed data, then the server can actually knows that this data must be coming from the user hence they can let the user to login. This whole mechanism is what some people call as challenge and respond.

Like we are doing an exam, if we are well prepared, we can actually answer whatever questions(challenge) that gives to us, however if we are not well prepared, we will surely get a 0 mark for our exam. 

It's better than whatever passwords based login mechanism out there, but not anyone(user) will be carrying their digital signature private key whenever they go, so this will cause inconvenience to user. The suitable use case for this kind of login mechanism for now is only limited to API application. If let's say your user really wants security, sure go ahead and use this kind of login mechanism in whatever system you create. 

The challenge and respond login mechanism if people here would like to see how it works in code, do let me know. I will then create a sample project that has its source code publicly available. 

Edited by chrono_legionnaire
  • Love 1
Link to post
Share on other sites
  • 2 weeks later...
  • 3 weeks later...

Maybe some people here will want to look at an example of how challenge and response login mechanism work(Cryptographic Digital Signature), if you are someone who installed Visual Studio and have .Net Framework installed in your Windows OS as well. 

You can have a look at my sample code that describes how can it be done.
(In actual code, you have to determine which information is private and clear it safely & set a valid duration for the challenge that generated and sent by server)

Here's the source code. Feel free to use it if you think that this login mechanism is generally better and secure than a password.

Link to post
Share on other sites

The logic behind the respond and challenge login mechanism

The steps required will be:
1. Users when they register in the system(online), they most likely will generate a digital signature keypair, the users will need to keep the digital signature keypair's secret key in a secret and secure way and then they will need to give their digital signature keypair public key to server.
2. When user intends to login, the server has to generate some random data in this case is random challenge through cryptographic secure way, through some forum, the random data or challenge minimum length is 128 bits or 16 bytes. 
3. The server has to sign it with either one time digital signature keypair's secret key or sign it with long term digital signature keypair's secret key, the first ensures that even if a server gets hacked, considering how cryptography works, they can't re-signs the random challenge themselves. 
4. The server will then send the signed challenge signed by server and the corresponding digital signature public key to the respective user.
5. When the user receives the signed challenge signed by server, they will need to verify it with the server public key, if the verification success, they will then signs the challenge with their own digital signature private key. 
6. The user will then send the signed challenge back to server.
7. Because the fact that the server holds the digital signature keypair public key of user, the server can then use that to verify the signed challenge. If the verification success, the user can login otherwise it's mostly an imposter. 

Hopefully these help, if you think that this login mechanism is considerable in some of your API based project, you are to free to use the logic behind this login mechanism.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...