Challenge-response using (keyed) one-way functions – Entity Authentication

5.5.3 Challenge-response using (keyed) one-way functions

The second option in a symmetric challenge-response protocol is to use one-way or hash functions to compute the responses. The shared secret K is hashed together with the random challenge RAND (see Figure 5.8). How this is done will be discussed in detail in Chapter 11, Hash Functions and Message Authentication Codes.

Because of the one-way property of the hash function, observing the challenge and corresponding response does not enable Eve to compute K (or parts of it). Again, the challenges must be fresh to prevent replay attacks.

Figure 5.8: Authentication based on keyed hash functions

As before, let’s take a look at a real-world example. When trying to access a password-protected resource via HTTP, the server might ask you to authenticate via HTTP digest authentication. In this protocol, the response consists of a hash value over the URL of the requested resource, the random challenge, and the password PW. The details can be found in Figure 5.9 (see also [68]).

Figure 5.9: HTTP digest authentication. Instead of PW, the response includes hash(PW,Alice), so that the server does not need to store PW in cleartext

While this approach seems very straightforward, it has a certain weakness. Although pre-computed hash tables do not work because of the changing random challenges, eavesdropping on a challenge-response pair still provides Eve with verifiable text when launching a dictionary attack.

For each guessed password, Eve can compute the corresponding response and compare it to the observed response. If the claimant uses a common password, Eve might be able to guess it correctly within an acceptable time frame. For this reason, the use of the HTTP digest authentication protocol is recommended over secure channels only.

5.5.4 Challenge-response using public-key cryptography

Challenge-response protocols can also be constructed using public-key cryptography. We will cover this subject in detail in Chapter 7, Public-Key Cryptography. For now, it suffices to say that unlike with symmetric crypto-systems, every party has a unique pair of keys, a public key that is, well, public, and a private key that the party keeps secret.

Everyone who wants to send Alice an encrypted message can use her public key to perform the encryption, but only Alice can decrypt that ciphertext using her private key. In the opposite direction, Alice can sign a message using her private key and anyone who has access to her public key can verify that it was indeed Alice who signed that message.

In the context of challenge-response protocols, the claimant has to demonstrate his knowledge of the private key. Thus, if Bob wants to prove his entity to Alice, he can decrypt a challenge Alice encrypted using his private key.

However, care must be taken not to turn the claimant into a decryption oracle! Eve could pretend to be Alice while Bob tries to authenticate himself and send Bob some previously captured messages that were encrypted with Bob’s public key. Bob would assume this is a random challenge from Alice and would unknowingly decrypt messages for Eve.

To prevent this, the verifier Alice must prove to Bob that she knows the challenge. This is accomplished by prepending to the challenge a so-called witness, a value demonstrating that Alice knows the challenge without actually disclosing it.

As an example, Alice could compute the hash of the challenge and send it to Bob together with the encrypted challenge itself. Bob would decrypt the challenge with his private key, apply the hash function to the decrypted challenge, and compare the calculated hash to the received hash value. If these values do not match, Bob immediately terminates the protocol.

5.6 Summary

In this chapter, we covered entity authentication, a cornerstone of secure communication. We discussed what identity is and how identification protocols fundamentally work. We also covered basic factors for identification and discussed the connection between authorization and authenticated key exchange. We also worked out the differences between message authentication and entity authentication.

We covered password-based authentication, including challenges related to storing passwords as well as the fundamental shortcomings of password-based authentication. We then discussed how cryptographically secure challenge-response protocols avoid these drawbacks and introduced challenge-response protocols based on symmetric keys, hash functions and their key-dependent counterparts (also known as message authentication codes (MACs)), and public-key encryption.

In the next chapter, we will take a first glance at Transport Layer Security, the means to provide secure communication over an insecure network.