Jump to content

Talk:Challenge–response authentication

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Gerbennn (talk | contribs) at 10:19, 7 June 2011 (password as challenge/response). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
WikiProject iconComputing Unassessed
WikiProject iconThis article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.ComputingWikipedia:WikiProject ComputingTemplate:WikiProject ComputingComputing
???This article has not yet received a rating on Wikipedia's content assessment scale.
???This article has not yet received a rating on the project's importance scale.

I think that the statement: A noonce prevent man-in-the-middle attack should be removed because this is probably not true.

"Challenge-response" or "challenge-reply"

Hello, can someone clarify whether challenge-response authentication or challenge-reply authentication is the right term? thanks --195.145.211.194 12:02, 28 November 2006 (UTC)[reply]

This is the first time I've heard the phrase "challenge-reply authentication". A Google search for the former yields about 118,000 results [1] while challenge-reply yields only 38 [2]. It's a safe bet to say "challenge-response authentication". -- intgr 15:32, 28 November 2006 (UTC)[reply]

"Unix passwords"

This paragraph is wack and the logic is flawed and convoluted. —Preceding unsigned comment added by 212.146.94.66 (talk) 16:04, August 30, 2007 (UTC)

It makes sense to me, but it's not well written indeed; I have added a "confusing" template. -- intgr #%@! 23:56, 30 August 2007 (UTC)[reply]

password as challenge/response

Most security professionals would disagree with:

"The simplest example of a challenge-response protocol is password authentication, where the challenge is asking for the password and the valid response is the correct password."

The key feature of challenge/response is that the responder is forced to give a different answer every time. Passwords are often contrasted with challenge response systems. For references see: RFC 4949, Network Security by kaufman et al or any good book on Information Security.

It is possible to distinguish between cryptographic challenge response systems where a well vetted cryptographic algorithm is performed to compute the output from the input and non-cryptographic systems where some other sort of prearranged scheme is used. See for example the O'Henry Story: Calloway's Code. In the story a reporter transmits the first word in a common phrase and the receivers fill in the rest of the phrase. In the story it is not used for authentication, but it could be. Perhaps a better example would recognition systems used by navies and other military organizations. They simply issue a secret code book containing challenges and their corresponding responses. Hal lockhart 21:38, 24 October 2007 (UTC)[reply]

Indeed. Saying that asking for the password makes password-based authentication a simple form of challenge response is ludicrous. You could then say, by the same logic that *any* authentication is challenge-response, as every authenentication method is challenging the user to authenticate him/herself. Gerbennn (talk) 10:19, 7 June 2011 (UTC)[reply]

Pull-down menus

Pull-down menus are used at http://languagetesting.info/mail/email.php. -- Wavelength (talk) 17:54, 14 April 2010 (UTC)[reply]

Storage of plaintext-equivalents can be avoided with simple C/R schemes

From my experience, most people do not realize that there exist simple algorithms (not involving public key crypto) that avoid the need for the server to store plaintext equivalents. This is reflected even in Internet RFCs (such as on APOP, CRAM, CHAP) - the authors probably did not realize! I am not aware of a more appropriate Wikipedia article to have this mentioned in, and my understanding is that publishing the algorithms right in Wikipedia (and only in Wikipedia) would be inappropriate - need to refer to an external source. Similarly, making a statement and not backing it up with algorithms would be inappropriate.

For the reasons above, I had added a link to my external wiki page describing two such algorithms of my own and linking to an external website with a third algorithm invented by another person. Although I am biased when linking to my own stuff, I think it is highly relevant to the article, and is desirable to have in here. However, another editor eventually thought otherwise and removed the link.

I propose that the info/reference/link be re-introduced, maybe along with other edits to the article such that the link does not "stand out" (sort of contradicting what was just said in the paragraph), like it did (which could have contributed to the link appearing "irrelevant" to someone possibly not very familiar with the problem). I'd appreciate any comments, votes for/against (with reasoning), any other suggestions, and actual edits to the article. -- Solardiz (talk) 01:54, 13 January 2011 (UTC)[reply]

Retrieved from "https://en.wikipedia.org/w/index.php?title=Talk:Challenge–response_authentication&oldid=433008724"