Collaborate Disseminate
A common way to prevent replay attacks when logging in is for the server to present a challenge (chall) and request a response in the form hash(chall+secret) where the secret is already known by the server, and can be determi… Continue reading How to prevent replay attacks without exposing stored password security?
From what I know, when a user wants to login to a RADIUS server, it sends their username and password to a NAS, and the NAS hides the password by hashing (MD5 (shared secret, request authenticator) and then XOR with chunks of… Continue reading RADIUS authentication. Password hiding
I have a server application which provides functions to a client program. The client is also programmed by me. Now I want to authenticate the client program itself (not any user) before using my service. I want to achieve tha… Continue reading How to authenticate a specific client program?
Given that a communication over HTTP
uses SSL encryption
uses public key pinning to prevent MiTM attacks
is security in any way elevated by using Salted Challenge Response Authentication Mechanism (SCRAM) over basic acces… Continue reading Given a secure channel, are there any benefits in using SCRAM over a username and password?
I’m developing an Authenticator App for use towards my own API. I know about the TOTP standard RFC 6238 and the HOTP variant. Though I would prefer to use a public/private key based solution (by only storing the public key on… Continue reading Algorithms for 2FA over HTTPS?
I am currently working on the migration of a user Identity and Access Management tool from a legacy platform (product + solution) to a new one (same product but upgraded + updated solution)
My team was challenged with the fo… Continue reading Should passwords and challenge questions & answers be migrated?
Security questions are well known/widely considered to decrease security or otherwise create more problems (e.g., remembering gibberish), but sometimes I am required to have and answer them anyway. While that has been discus… Continue reading Using PGP to answer account security questions with PKI
I have an interesting use case where users need to authenticate to applications running in environments that might not have internet access or even access to an authentication server. Administrators need to be able to grant a… Continue reading Authentication providers for applications with no internet connection
Are all challenge-response (or other authentication) protocols vulnerable to on-line main-in-the-middle attacks?
Let’s say Alice wants to setup a connection with Bob (e.g. she wants to login on a server). Bob sends her a ra… Continue reading Vulnerability of challenge-response (authentication) protocols to on-line man-in-the-middle attacks
From my understanding, after the Access-Request, the authentication server (RADIUS) send a reply (incapsulated in the Access-Challenge packet) to the authenticator (AP).
The Access-Challenge packet contains an EAP Request in… Continue reading Access-Challenge EAP Request