Search code examples
delphiauthenticationcryptographychallenge-response

How can I use Delphi to create a visual challenge / response for restoring access to an application?

I'm interested in creating a challenge / response type process in Delphi. The scenario is this...we have 2 computers...1 belongs to the user and 1 belongs to a support technician.

The user is locked out of a certain program, and in order to gain 1 time access, I want:

  1. The user to be presented with a challenge phrase, such as "28394LDJA9281DHQ" or some type of reasonably unique value
  2. The user will call support staff and read this challenge (after the support staff has validated their identity)
  3. The support person will type this challenge value into a program on their system which will generate a response, something equally as unique as the response, such as "9232KLSDF92SD"
  4. The user types in the response and the program determines whether or not this is a valid response.
  5. If it is, the user is granted 1 time access to the application.

Now, how to do this is my question? I will have 2 applications that will not have networked access to one another. Is there any functionality within Windows that can help me with this task?

I believe that I can use some functionality within CryptoAPI, but I really am not certain where to begin. I'd appreciate any help you could offer.

Solution

  • I would implement a MD5 based Challenge-Response authentication.

    From wikipedia http://en.wikipedia.org/wiki/CRAM-MD5

    Protocol

    1. Challenge: In CRAM-MD5 authentication, the server first sends a challenge string to the client.
    2. Response: The client responds with a username followed by a space character and then a 16-byte digest in hexadecimal notation. The digest is the output of HMAC-MD5 with the user's password as the secret key, and the server's original challenge as the message.
    3. Comparison: The server uses the same method to compute the expected response. If the given response and the expected response match then authentication was successful.

    This provides three important types of security.

    1. First, others cannot duplicate the hash without knowing the password. This provides authentication.
    2. Second, others cannot replay the hash—it is dependent on the unpredictable challenge. This is variously called freshness or replay prevention.
    3. Third, observers do not learn the password. This is called secrecy.

    The two important features of this protocol that provide these three security benefits are the one-way hash and the fresh random challenge.

    Additionally, you may add some application-identification into the challenge string, for a double check on the sender of the challenge.

    Important: it has some weaknesses, evaluate carefully how they may affect you.