A commonly used authentication protocol consisting of the following four steps:

  • The client sends a message to the server declaring his identity and requests authentication.
  • The server sends a challenge to the client consisting of some random value x.
  • The client computes h(password,x) and sends it back as the response. Here h is a hash function with the property that it is essentially impossible to figure out password even if you know both x and h(password,x).
  • The server also computes h(password,x) and compares it with the response it got from the client.
This term is being used in a somewhat different way than is traditional in the growing anti-spam efforts of ISP's and software developers.

Rather than providing an automated method to validate a client, this form of challenge-response forces a non-automated validation, by design.

The basic mechanism is as follows:
  • All of a person's e-mail is received by an intermediate system, either a separate server or an application running on their computer
  • The intermediate server/application holds the e-mail temporarily, instead of presenting it immediately to the user
  • A challenge e-mail is sent back to the source e-mail address, in a form such as a link to a web page containing an anti-OCR graphic of a set of characters, which the sender must type in
  • Once the challenge has been properly answered, the sender's mail is delivered and the sender is whitelisted for future mail
The basic assumption underpinning the effectiveness of challenge-response against spam is that it adds the necessity of a spammer investing human time into every e-mail sent, making mass-mailing impractical. It also directly eliminates spam which has a spoofed or false "from" address, a common spammer tactic.

Log in or register to write something here or to contact authors.