Introduction
Last updated
Last updated
Challenge–response authentication: is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated. It may be used for mutual authentication e.g. when a server needs to install a new version on a client. In the case of the example, the client has to verify that the server is the one it claims it is (otherwise a malicious version may be downloaded) and the server has to verify that it downloads the new version to the right client.
The OATH Challenge-Response Algorithm (OCRA) is a generalization of HOTP with variable data inputs not solely based on an incremented counter and a secret key values.
The definition of OCRA requires a cryptographic function, a key K and a set of DataInput parameters
DataInput ={OCRASuite | 00 | C | Q | P | S | T}where:
00 is a byte value used as a separator
C is an unsigned 8-byte counter value processed high-order bit
Q (mandatory) is a 128-byte list of (concatenated) challenge question(s) generated by the parties
P is a hash (SHA-1, SHA-256 and SHA-512) value of PIN/password that is known to all parties
S is a UTF-8 encoded string that contains information about the current session
T is a number of time-steps (seconds, minutes, hours) since midnight UTC of January 1, 1970
All parameters in the OCRA suite are optional except for the Q (challenge questions).
OCRA provides 3 Authentication modes:
One-Way Challenge Response
Mutual Challenge Response
Algorithm modes for Signature (plain signature, and signature with server authentication)
The OCRA API provides a REST API in order to add a second factor to your login process.
The OCRA API implements the 'Mutual Challenge Response' Authentication Mode. The OCRA API roadmap contains both other modes, but in the current version they are not yet available.
A challenge-response is a security mechanism in which the verifier presents a question (challenge) to the prover, who must provide a valid answer (response) to be authenticated
Mutual challenge-response is a variation of the one-way challenge- response mechanism where both the client and server mutually authenticate each other.
To use this algorithm in plain signature mode, the server will communicate a signature-challenge value to the client (signer). The signature-challenge is either the data to be signed or is derived from the data to be signed using a hash function
This mode is a variation of the plain signature mode where the client can first authenticate the server before generating an electronic signature.
The OCRA API is a stateless REST service, no personalized transaction data is persisted. The audit trail generated at the end of a flow is returned to the application or service consumer of the OCRA API and is NOT persisted in the OCRA-API.