Javatpoint Logo
Javatpoint Logo

Challenge Response Authentication Mechanism (CRAM)

The most popular method for authenticating operations is the Challenge Response Authentication Mechanism (CRAM). They are a collection of protocols in which one side issues a challenge (to be addressed) and the other side is required to respond with the right response (to be verified/checked) in order to be authenticated.

Challenge Response Authentication Mechanism (CRAM)

Challenge questions come in two flavours:

  • As the name implies, static questions take a static approach to the challenge choice. The user can choose his challenge and confirm his identity. Consider the FORGET PASSWORD function in email services as an illustration. The "security question" that you have saved as part of the account setup is a static challenge. It is not anticipated that the right response to those questions would alter over time.
  • Dynamic questions use a dynamic selection and authentication process for the Challenge. The tasks are chosen at random with the assumption that since the user is the genuine one, they will know the correct response.

Methods of CRAM execution -

1. CAPTCHA:

The Fully Automated Public Turing Test to Distinguish Between Computers and People Spam and the automatic creation of new accounts on websites or for email are both stopped by CAPTCHA.

2. Secure Shell, or SSH

SSH is a cryptographic network protocol that enables the secure operation of network services over insecure networks.

3. Password:

The password is transmitted to the server, where it is checked by comparison with the right password.

4. A variation of CRAM called Salted Challenge Response Authentication Mechanism (SCRAM):

To ensure that the password is only used once, the challenge is hashed and salted. Instead than matching the plain text password itself, the server compares the hash against the hash of the correct password. Because the password may only be used once, it cannot be divulged, preventing Man-in-the-Middle and replay attacks.

5. Biometrics:

Every time a user wishes to verify himself, he must provide his unique biometric information (such as a retina scan or fingerprint scan) to the authenticating system for verification.

How to Use Challenge-Response

A challenge-response barrier is a security measure used to keep assets safe from unauthorised users, activities, programmes, and internet of things (IoT) devices. It requires cyber attackers to complete a series of challenges in order to bypass the security barrier and gain access to additional materials. A commercial bank, for example, creates a multifactor authentication (MFA) process using challenge-response authentication. Using multiple CRAMs, this process authenticates a user's identity.

A two-factor authentication (2FA) process might entail entering a password and receiving a code via email. An MFA variant may also ask a personal question, such as "What is your mother's maiden name?" However, account logins aren't the only use of challenge-response authentication.

CRAM Utilise cases

  • To distinguish a computer from a person:

The user is shown an image, which is typically difficult to read at first look, and is then requested to input by deciphering the characters in the image. To stop bots from accessing the system, the input is then compared with the actual characters.

  • In training Machine Learning models:

An image is cut up and confused before being submitted to the user for some form of human user-verifiable authentication. The input is used to validate user input. The user's response and the answer provided by the ML model are compared. The "task" is to choose the correct parts from the jumbled-up image. in Google CAPTCHA authentication frequently observed.

  • For the purpose of login (authentication):

The proper password, which is already saved on the server you are attempting to access, is compared (directly or indirectly) with the one you entered to see if they match.

Typical CRAM attacks include:

  • Eavesdropping
  • Phishing Attacks
  • Pharming Attacks
  • Man-In-The-Middle Attacks
  • DNS Cache Poisoning Attacks
  • Trojans Attacks
  • Man-In-The-Phone Attacks
  • Browser Poisoning Attacks
  • Dictionary Attacks
  • Brute-Force Attacks
  • zero-knowledge password proof
  • Reusable password attacks

Limitations -

One fundamental issue with passwords is that they are used repeatedly. When a password is received by the server, the server cannot determine whether or not the password is being entered by the real user.

Newer CRAMs also use cryptography to match the hash of the passwords rather than the plain passwords.

Some cryptographic CRAM examples -

  • SCRAM is an abbreviation for Salted Challenge Response Authentication Mechanism.
  • CRAM-MD5
Next TopicExtended Access List




Youtube For Videos Join Our Youtube Channel: Join Now

Feedback

Help Others, Please Share

facebook twitter pinterest

Learn Latest Tutorials

Splunk tutorial

Splunk
SPSS tutorial

SPSS
Swagger tutorial

Swagger
T-SQL tutorial

Transact-SQL
Tumblr tutorial

Tumblr
React tutorial

ReactJS
Regex tutorial

Regex
Reinforcement learning tutorial

Reinforcement Learning
R Programming tutorial

R Programming
RxJS tutorial

RxJS
React Native tutorial

React Native
Python Design Patterns

Python Design Patterns
Python Pillow tutorial

Python Pillow
Python Turtle tutorial

Python Turtle
Keras tutorial

Keras

Preparation

Aptitude

Aptitude
Logical Reasoning

Reasoning
Verbal Ability

Verbal Ability
Interview Questions

Interview Questions
Company Interview Questions

Company Questions

Trending Technologies

Artificial Intelligence

Artificial Intelligence
AWS Tutorial

AWS
Selenium tutorial

Selenium
Cloud Computing

Cloud Computing
Hadoop tutorial

Hadoop
ReactJS Tutorial

ReactJS
Data Science Tutorial

Data Science
Angular 7 Tutorial

Angular 7
Blockchain Tutorial

Blockchain
Git Tutorial

Git
Machine Learning Tutorial

Machine Learning
DevOps Tutorial

DevOps

B.Tech / MCA

DBMS tutorial

DBMS
Data Structures tutorial

Data Structures
DAA tutorial

DAA
Operating System

Operating System
Computer Network tutorial

Computer Network
Compiler Design tutorial

Compiler Design
Computer Organization and Architecture

Computer Organization
Discrete Mathematics Tutorial

Discrete Mathematics
Ethical Hacking

Ethical Hacking
Computer Graphics Tutorial

Computer Graphics
Software Engineering

Software Engineering
html tutorial

Web Technology
Cyber Security tutorial

Cyber Security
Automata Tutorial

Automata
C Language tutorial

C Programming
C++ tutorial

C++
Java tutorial

Java
.Net Framework tutorial

.Net
Python tutorial

Python
List of Programs

Programs
Control Systems tutorial

Control System
Data Mining Tutorial

Data Mining
Data Warehouse Tutorial

Data Warehouse