3

I want to implement a challenge-response login authentication for my web application.

My understanding is that the server has to send back the password salt for the user so that the user can calculate the password hash on the client side and then send it back to the server to compare and check if the user is authenticated or not.

I know this type of authentication is vulnerable to dictionary attacks because the attacker can see the password salt in plain text and brute force attack the server with that password salt.

As always, layers of security is best so I would also add SSL to the equation so the attacker would have to break SSL as well as brute force the password with the salt.

Is there ways I can improve upon this, I have look into SRP (Secure Remote Password) but it seems really complex whereas challenge-response can provide just as much benefit.

Professed3376
  • 183
  • 1
  • 7

2 Answers2

6

If you are using SSL why would you send a salt at all? All you need to is allow the user the send username and password and you can calculate H(message + salt) server side. There is no point of sending the salt to the user. Just make sure you use a proper hashing algorithm like PBKDF2, bcrypt or scrypt.

Also if you have broken SSL it would not matter if you send the password or the hash as you could easily just intercept the hash and perform a repetition attack. Unless of course the challenge would change with every single authentication request which would require you to store the password in decryptable or plain text format. Which may be a security risk on its own, furthermore it would be susceptible to a bucket brigade man in the middle attack.

Stick to good secure schemes, username + password across ssl is secure, don't try rolling your own.

Lucas Kauffman
  • 54,437
  • 17
  • 116
  • 196
  • @Chrisgozd - You only need the server to send the salt to the client in SRP. If you are not going to use SRP (as you said), then there is no need for the client to know the salt. As @Lucas said, just send the username and password to server after establishing a SSL connection and the server will lookup the salt against the username and perform the hash(salt+password) itself. – xkcd Apr 23 '14 at 11:56
  • @xkcd Yeah, I'm just trying to add layers of security if (knock on wood) SSL is broken and looking at my options for how I can make login authentication more secure. – Professed3376 Apr 23 '14 at 15:01
  • 1
    @Chrisgozd - Ya, that's a good practice, but in this case you are not adding a layer, meaning that if the 1st layer i.e. SSL is broken, then hashing/salting passwords won't save you. A lot of MiTM and replay attacks become possible then which don't need to brute force your password. – xkcd Apr 24 '14 at 12:43
  • We did see SSL being broken, didn't we – Sten Petrov Jul 01 '14 at 20:09
  • @StenPetrov Care to elaborate? – Xander Jul 01 '14 at 20:41
  • @Xander Goto Fail and HeartBleed. While neither is a direct break on SSL both of them could void the security provided by SSL under their respective conditions. An additional layer of security would have been useful to prevent plaintext credentials from being accessible – Sten Petrov Jul 02 '14 at 01:46
0

If I were designing a challenge and response system, I would use an intelligent system rather than your suggested standard computable systems.

I would consider the challenge as a method to pass information to the responder that only the responder is likely to appreciate and to interpret correctly. The response to the challenge would indicate that the responder has interpreted the information correctly, I would then consider a further response by the challenger, whether or not the interpretation had been correct and an additional test of the responder again making a judgement of the 2nd challenge by making a further response.

The information exchange can be extremely varied by making a response require or deny character(s) in a specified position(s) in what appears to be a randomly generated character set challenge. The challenge would change each time and would require the responder to reply with a character from a predefined set in a particular position in their random character response. Challenge and response could be of any length, sensibly within reasonable parameters and the required positions could be modal to make identification even more difficult. If automated and the defined characters and positional requirements were set up in a simple table the complexity could be increased by incorporating several conditions of acceptance and denial plus conditional changes depending on character groupings/ string length etc. Each set of conditions and responses could be set to be unique to each responder that should have access to the challenger. These could be transmitted separately in the same way that passwords can be exchanged.

schroeder
  • 129,372
  • 55
  • 299
  • 340
challenger
  • 11
  • 1
    I've seen implementations where the user uploads a picture, then tags portions of the picture. The challenger sends the photo back and asks the responder to click on the portion of the image that corresponds to a tag. Is that the kind of thing you mean? – schroeder Jul 11 '16 at 12:28
  • Do these unique challenges correspond to something each user knows? – Jedi Jul 11 '16 at 12:51