Random Values, Nonce and Challenges: Semantic Meaning versus Opaque and Strings of Data

Current authentication and security protocols provide authentication services using either shared secret keys or certificates and public key infrastructures. They usually involve using random values and nonce to prohibit replay attacks and to generate fresh keys per each session. The Challenge-Response authentication mechanisms are the predominant access method for authentication and access control of today Internet applications. These mechanisms provide a proof of knowledge of the secret and then authenticate the communicating entity, which applies a cryptographic algorithm on the shared secret and the challenge sent by the other entity. Unfortunately, basic challenge-response mechanisms, such as HTTP Digest, do not provide mutual authentication and therefore suffer from several attacks, especially the man-in-the-middle and replay attacks. In this paper, we propose a semantic meaning for the challenge becoming used by these mechanisms. The proposed enhancement is completely backward-compatible; an entity aware of our extension connecting to another that does not wish to use or does not support it, will continue the basic authentication process. Moreover, our extension helps in reducing the identity usurpation attacks. A computation of the cryptographic loads and the data transfer demonstrates a negligible overall performance impact on the network and the entities.