You are developing an in-house application with an authentication requirement that user passwords shall not be transmitted on the network. Which of the following is the best solution for clients to authenticate to the server? (Source: Wentz QOTD)
A. Clients encrypt credentials using the server’s public key.
B. The server sends a nonce encrypted by the client’s public key.
C. Clients negotiate a dynamic key with the server through Diffie-Hellman.
D. The server sends a TGT encrypted by its secret key after receiving the client’s ID.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. The server sends a nonce encrypted by the client’s public key.
In cryptography, a zero-knowledge proof or zero-knowledge protocol is a method by which one party (the prover) can prove to another party (the verifier) that they know a value x, without conveying any information apart from the fact that they know the value x.
In computer security, challenge–response authentication is a family of protocols in which one party presents a question (“challenge”) and another party must provide a valid answer (“response”) to be authenticated.
Public Key Authentication
The server sends a nonce encrypted by the client’s public key as a challenge to the client. If the client can decrypt the challenge encrypted by its private key as a response, it can prove the possession of the private key and authenticate to the server. It’s a typical use case of zero-knowledge proof.
Secret Key Authentication
Decrypting a server’s message using a pre-shared or secret key can authenticate to the server as well. For example, HMAC authenticate the origin of data by incorporating a secret key.
TGT implies Kerberos in use which doesn’t transmit the user password to the AS when logging in. The server sends a TGT encrypted by the CLIENT’s secret key (pre-shared) after receiving the client’s ID so that the client can decrypt the AS response.
Password authentication refers to the user password is sent, in plaintext or ciphertext, to the authentication server.
- It supports confidentiality only that clients encrypt credentials using the server’s public key, but the user password is still encrypted and transmitted on the network.
- Clients get a secret key to encrypt the user password if clients negotiate a dynamic key with the server through Diffie-Hellman. The user password needs to be transmitted on the network as well.
- Authentication protocol
- Challenge–response authentication
- Challenge-Handshake Authentication Protocol
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.