Cryptnox Docs
Start typing to search…

Challenge Response

Challenge-Response Process Flow

The challenge-response process is a security mechanism used to verify a user’s authentication before allowing sensitive operations like signing or key access. Below is a step-wise breakdown of how it works:

Step 1: Generating the Challenge

  • The system (host application) requests the card to generate a cryptographic challenge.
  • The card returns a random challenge (a unique, unpredictable value).
  • This challenge ensures that each authentication attempt is unique and cannot be replayed.

Step 2: Signing the Challenge

  • The host application sends the challenge to an authorized user or secure authentication system that holds the correct private key.
  • The private key (stored securely in the card or an external authentication module) is used to sign the challenge using the ECDSA or Schnorr signing algorithm.
  • The result is a digital signature of the challenge.

Step 3: Verifying the Response

  • The signed challenge (response) is sent back to the card for verification.
  • The card checks the signature against the stored public key to confirm it was signed by the correct entity.
  • If the verification is successful, the card grants access to the requested operation (for example, signing a transaction, accessing a key, or decrypting data).

Step 4: Access Authorization

  • Once the response is validated, the user remains authenticated for further commands until the session expires or another authentication event occurs.
  • If multiple operations (for example, signing multiple hashes) are authorized, they must be executed in the same order as authentication.

Step 5: Handling Failed Authentication

  • If the response signature does not match, authentication fails, and access is denied.
  • In case of repeated failed attempts, the card may enforce security measures, such as locking the user out after a certain number of failed attempts.

This challenge-response mechanism ensures strong authentication and prevents unauthorized access by requiring proof of possession of the private key.

Challenge-Response Python Objects

Challenge-Response: Nonce

The following code snippet outlines the Python object for 'Nonce':

def challenge_response_nonce() -> bytes:
    return card.user_key_challenge_response_nonce()

For example,

nonce = challenge_response_nonce()

print(nonce)

Challenge-Response: Open

The following code snippet outlines the Python object for 'Open':

def challenge_response_open(slot_index: SlotIndex, signature: bytes) -> bool:
    return card.user_key_challenge_response_open(slot_index, signature)

For example,

is_open = challenge_response_open(SlotIndex.SLOT_1, b'signature')

print(is_open)

Updated 4 months ago