LOGBOOK

HELP

Quiz Entry - updated: 2026.06.01

How does challenge-response with symmetric cryptography authenticate a user without sending the password?

Both sides share a secret key. Server sends a random challenge; client returns HMAC(key, challenge); server verifies by computing the same HMAC.

The flow:

  1. Setup: Alice and Bob share the same symmetric key (out-of-band — e.g. during account creation).
  2. Login:
    • Alice → Bob: "I'm Alice"
    • Bob → Alice: random challenge (a fresh nonce, e.g. 128 bits)
    • Alice → Bob: response = HMAC(key, challenge)
    • Bob computes HMAC(key, challenge) himself and checks it matches the response.

Why it's better than password-in-the-clear:

  • The secret key never leaves either machine.
  • The challenge is random per session → an eavesdropper sees a different exchange every time and can't replay it.
  • Even if Eve captures the response, it's only valid for that one challenge.

Drawback to remember: Bob also has a copy of the key. If Bob's server is compromised, the attacker can impersonate Alice — they have the same key Alice has. That's why public-key challenge-response is often preferred for high-stakes systems.

From Quiz: ISF / Access Control | Updated: Jun 01, 2026