Home/ Questions/Q 3427854
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-18T06:53:17+00:00

I’m interested in creating a challenge / response type process in Delphi. The scenario

  • 0

I’m interested in creating a challenge / response type process in Delphi. The scenario is this…we have 2 computers…1 belongs to the user and 1 belongs to a support technician.

The user is locked out of a certain program, and in order to gain 1 time access, I want:

  1. The user to be presented with a challenge phrase, such as “28394LDJA9281DHQ” or some type of reasonably unique value
  2. The user will call support staff and read this challenge (after the support staff has validated their identity)
  3. The support person will type this challenge value into a program on their system which will generate a response, something equally as unique as the response, such as “9232KLSDF92SD”
  4. The user types in the response and the program determines whether or not this is a valid response.
  5. If it is, the user is granted 1 time access to the application.

Now, how to do this is my question? I will have 2 applications that will not have networked access to one another. Is there any functionality within Windows that can help me with this task?

I believe that I can use some functionality within CryptoAPI, but I really am not certain where to begin. I’d appreciate any help you could offer.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I would implement a MD5 based Challenge-Response authentication.

    From wikipedia http://en.wikipedia.org/wiki/CRAM-MD5

    Protocol

    1. Challenge: In CRAM-MD5 authentication, the server first sends
      a challenge string to the client.
    2. Response: The client responds with a username followed by a space
      character and then a 16-byte digest in
      hexadecimal notation. The digest is
      the output of HMAC-MD5 with the user’s
      password as the secret key, and the
      server’s original challenge as the
      message.
    3. Comparison: The server uses the same method to compute the expected
      response. If the given response and
      the expected response match then
      authentication was successful.

    This provides three important types of
    security.

    1. First, others cannot duplicate the hash without knowing the password.
      This provides authentication.
    2. Second, others cannot replay the hash—it is dependent on the
      unpredictable challenge. This is
      variously called freshness or replay
      prevention.
    3. Third, observers do not learn the password. This is called secrecy.

    The two important features of this
    protocol that provide these three
    security benefits are the one-way hash
    and the fresh random challenge.

    Additionally, you may add some application-identification into the challenge string, for a double check on the sender of the challenge.

    Important: it has some weaknesses, evaluate carefully how they may affect you.

    • 0