Menu
How does challenge-response authentication prevent man-in-the-middle attacks? I read the wiki article but still I cannot understand.
566
Strong WEP/WAP Encryption on Access Points Having a strong encryption mechanism on wireless access points prevents unwanted users from joining your network just by being nearby. A weak encryption mechanism can allow an attacker to brute-force his way into a network and begin man-in-the-middle attacking.
Challenge-response is a barrier used to protect assets from unauthorized users, activities, programs and internet of things (IoT) devices.
One MITM mitigation strategy is to enable static address resolution protocol (ARP) entries for the local area network to use. This helps to prevent MITM attacks by keeping attackers from being able to send random requests and get replies.
Challenge Response Authentication Mechanism (CRAM) is the most often used way to authenticate actions. They are a group of protocols in which one side presents a challenge(to be answered) and the other side must present a correct answer(to be checked/validated) to the challenge in order to get authenticated.
In general, challenge-response systems do not necessarily prevent man-in-the-middle-attacks: If Alice is trying to tell Bob her bank account number, this protocol, which does implement some challenge and response, won't provide integrity or privacy:
Alice: Bob, is that you? // first challenge
Bob: Yes, Alice, it is me, is that you? // first response, second challenge
Alice: Yes! Great. My account number is 314159. // second response, and result
Mallory could answer "yes" in place of either Alice or Bob, could fake the third 'result' message, or could listen in on the third message.
Even if the challenges are improved, to something like: "Please hash 0x31415926 prepended to our shared password", data transmitted in the clear (or under weak/poor ciphers or with poor key selection) would be subject to loss of privacy, and data transmitted without any message authentication checks could be subject to modification by a third party.
Where challenge/response protocols really shine is in preventing replay attacks: if Alice just sends Bob a message along the lines of "Please debit my account $5 and credit your account $5", Mallory could record the message and replay the message to deplete Alice's account.
A good challenge/response system will generate a new challenge for every transaction or session (and make sure that previous challenges are not reused!), so that session transcripts cannot be spliced together to create new fraudulent systems.
I hope this helps, but I'm afraid without more detailed idea of where your doubts are coming from, it'll just be noise.
167
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
