In a challenge-response authentication flow, what's the difference between client-side and server-side authentication?
Client-side: the server challenges the client to prove who it is. Server-side: the client challenges the server to prove who it is. The verifier is whoever sends the challenge.
The pattern is always: Question (challenge) → Answer (response) → Überprüfung (verification).
- Client-side authentication — Server sends Question1, Client replies Answer1, Server verifies and confirms Authenticated1. (The client is proving its identity.)
- Server-side authentication — Client sends Question2, Server replies Answer2, Client verifies. (The server is proving its identity — e.g. a TLS certificate.)
Why challenge-response at all? The challenge is a fresh, random value. The responder proves it can produce the correct answer for that specific challenge, which defeats replay attacks — an old captured answer won't match a new challenge.
Tip: "Who sends the question is the one doing the checking." Most logins authenticate the client; HTTPS authenticates the server (the padlock).