Lukas' Notes

Challenge-Response Authentication

May 01, 20262 min read

Definition

Challenge-Response Method

A challenge-response method is an authentication protocol in which the server sends a challenge $C$ to the user, who then computes a response $R$ by applying a cryptographic operation to $C$ using a shared secret.

Conceptually similar to a one-time password generator, but the one-time password depends on server-generated data rather than on time alone.

Protocol

Challenge

The authentication server sends a challenge $C$ to the user.

$C$ must include a randomly generated component to prevent replay attacks.

$C$ can partially depend on the operation to be authorised.

Response

The user performs a cryptographic operation on $C$ to compute the response $R$ .

The response is usually computed by an authenticator app installed on the user’s smartphone or PC.

The ability to compute $R$ proves possession of the required secret or cryptographic key.

Variations

Hash-Based

The response is computed by hashing the challenge together with a shared secret $S_{X}$ :
$R = h (C ∥ S_{X})$

Symmetric Encryption

The response is the encryption of the challenge under a shared secret key $K_{X}$ :
$R = Enc (K_{X}, C)$

Signature-Based

The response is a digital signature on the challenge using the user’s private key $SK_{X}$ :
$R = Sign (SK_{X}, C)$

Security

Replay Resistance

Because the challenge contains a fresh random component, an attacker who intercepts a previous response cannot reuse it.

Proof of Possession

The response demonstrates that the user holds the secret key, without transmitting the key itself.

Graph View

Definition
Protocol
Variations
Security

Backlinks

192.019 Introduction to Security
Hardware Authentication Token

Created with Quartz v4.4.0 © 2026

GitHub