Questions tagged [challenge-response]
The challenge-response tag has no summary.
43 questions
0
votes
1
answer
72
views
Mutual authentication with symmetric challenge-response protocol ap4.0
The challenge-response protocol ap4.0 is defined like the following:
Goal: avoid replay attack
Nonce: number R used only once (during the lifetime of the
key/pw/...)
Protocol ap4.0: to prove Alice &...
- 103
3
votes
1
answer
448
views
How to evaluate security of non-standard challenge response implementation?
I came up with this scheme of doing challenge response. It works like this:
The server generates a random challenge and saves it
The server encrypts the challenge with the public key of the client ...
- 133
0
votes
0
answers
315
views
BLE Challenge-Response Authentication Using Pre-Shared Key and SHA-256
I’m working on a Bluetooth Low Energy lock system and have implemented a challenge-response authentication flow for secure communication between the lock (an ESP32 device) and the user's phone. I'm ...
24
votes
1
answer
6k
views
Why are some Cloudflare challenges CPU intensive?
I notice in Chrome's Task Manager that some Cloudflare challenges are CPU intensive. Why?
E.g., in the following screenshot, Cloudflare challenges took over 1 hour of CPU (representing ~25% of the ...
0
votes
0
answers
114
views
ow do I move password securely between api and web?
I would like to ask how I should go about securely transmitting the password between two applications. I have two projects that work with each other. The first one is a project called AuthApi, which ...
- 1
1
vote
1
answer
382
views
Is SCRAM secure if both the communication channel and the database got compromised?
I was learning about SCRAM and liked its ability to protect against various attacks (as mentioned in this MongoDB blog post), specifically:
Eavesdropping - The attacker can read all traffic exchanged ...
- 13
2
votes
2
answers
2k
views
Is the Seed-And-Key Challenge-Response used in Automotive Security really secure?
As an Automotive Security Professional, my state of the art approach to implement a Secure Access would be to have an ECU generate a challenge (nonce + ID), forward it to the tester who can pass the ...
- 3,046
0
votes
0
answers
1k
views
How does Nessus offline registration work?
To use the free trial of Nessus, you need an email address to receive an activation key.
There are two modes to activate a Nessus server:
Online mode registration
If the computer running Nessus ...
- 173
1
vote
0
answers
141
views
Problems understanding the use of Distance Bounding against Man-In-The-Middle attacks
I currently have to write a paper for university in my Network Security lecture about methods of secure location verification. Therefore, I chose to write about several distance bounding protocols, e....
- 111
0
votes
1
answer
925
views
Challenge-Response authentication and SSL
I'm currently developing an Android Application that communicates with a server and needs the user to login.
The connection is secured with SSL and certificate pinning.
For user authentication I'm ...
0
votes
1
answer
375
views
Is this Wikipedia article about SCRAM wrong?
At my Company, we put a honeypot in our network and it raised us the Lansweeper SSH password used to connect to the scanned assets (and it is reusable over many boxes...).
So it is a way for an ...
- 1,378
0
votes
1
answer
597
views
How to implement challenge-response with keyed hash algorithm when 2 people share same key?
Suppose that 2 people have a keyed hash algorithm (that is, a MAC) with a key that they both know. How could they implement challenge-response using their keyed hash algorithm? This confuses me...
- 73
2
votes
0
answers
381
views
How challenge response password recovery mechanism works with disk encryption?
For the sole purpose of learning, I am trying to figure out how disk encryption software is able to recover password of an encrypted disk using a challenge response mechanism.
Th recovery process ...
- 133
4
votes
2
answers
2k
views
Why does WebAuthn require a challenge when asking the client to register a new credential?
When registering a new credential as part of WebAuthn, why does the client need to be sent a challenge?
Presumably this is to prevent a replay attack, but wouldn't a replay attack be prevented by TLS ...
- 173
5
votes
2
answers
521
views
Which user authentication measures are used nowadays?
I was reading about Passwords and came across methods used for authenticating client to a server. Since sending password in Plain text to the server isn't the best method for authentication of a user, ...
- 195