In the first article in this series, on Authentication, I touched on UserName/Password as well as Biometric Authentication.  I would like to talk about one more important method of authentication before moving on to Authorization.

Cryptographic Challenge/Response Authentication

The authentication methodologies I’ve discussed, until now, have all been a form of “passive” Challenge/Response authentication.  That is, the act of authentication is limited to a user, or resource, identifying itself to the Information Security System then submitting a pre-arranged pseudo-random value for authentication.  That pre-arranged pseudo-random value could be a password or fingerprint/retinal scan data.

Cryptographic Challenge/Response (CCR) authentication takes this all a step further.  Instead of relying on a single pre-arranged value, CCR involves a different protocol using cryptographic algorithms.

One example of a CCR would involve the following steps

1.    User identifies him/herself to the Information Security System
2.    System generates, and transmits, pseudo random data for the user to sign
3.    User digitally signs the sequence and returns the results to the system
4.    System checks the digital signature for authenticity
5.    If the signature is authentic, authentication is successful

An illustration of this example is below (click to enlarge).

Since the challenge data changes for each authentication attempt, and anticipates a near instant response from the user, this presents a much larger challenge for anyone attempting to gain access fraudulently.

The “replay attack”, for instance, involves the attempt to use past, or prior captured authentication packets in order to pass them off as new authentication packets on a future, and different, session. Since the original authentication used the hash of not only the User’s ID but a timestamp as well, the new challenge data will be different, and the system will then expect different response data.  Therefore since the attacker only has access to prior authentication packets they should not be able to calculate the necessary digital signature, from step 3, in a timely fashion without the user’s Private Key.

This also does not have to be a one-way process, the user can also authenticate the Information Security System as well.

Phishing is the term given to the practice of publishing websites masquerading as other popular websites in the hopes of capturing login information from unsuspecting users of the legitimate site.  If you wanted to verify the validity of a website this would be one method of doing so.  The process would be the same, only the roles would be reversed, now the website would be the one identifying itself, and the user the one issuing the challenge data.

The combination of these two techniques solves another attack in Information Security called the “Man in the Middle” attack.  This involves a user attempting to listen in on a conversation by masquerading as the receiver, from the point of view of the caller, and masquerading as the caller, from the point of view of the receiver.  Kind of like a person in the middle of a phone conversation relaying messages from caller to recipient, and vice versa.

Smart Cards can use cryptographic challenge/response authentication because of the microchip held within the card, this gives them the capability of being more secure than a plain magnetic strip card.  Because a magnetic strip can only store a series of numbers, the smart card can actively take part in the authentication process.

You might think that this would make the smart card the “end all-be all” solution for identification and authentication, but there is at least one more problem to overcome.  The problem with the smart card is that although it can take the place of your brain, as the storage device on which an authentication will depend, your brain cannot be stolen.  Although the smart card can take care of almost all aspects of authentication to an Information Security System, just because the card can authenticate itself to that system, does not mean that you are the one actually swiping it against the reader.  It is for this reason that, at least on the systems I have seen, smart cards are simply another “factor” of authentication, instead of being the single factor.