Network Computingwww.networkcomputing.com

In most network protocols user authentication is a simple process: The password serves as a one-factor authentication mechanism. It proves the user's identity via something only the user knows. To authenticate to the server, the user enters an account ID (username) and the corresponding password. The server compares it to its own stored copy of the user's password and if the two match, the user is authenticated.

In a challenge/response algorthm, the server prompts the user for authentication with a challenge (usually a long string of ASCII characters). But instead of asking the user to transmit a password, the server expects the user's client application to perform a one-way hash of the challenge and the user's password. The server also has a copy of the user's password, so it performs the same operation and compares the user's response. If the two match, the user is authenticated. The advantage is that the user's response is the product of a one-way hash of a password and the server's challenge so it's useless if intercepted.

The server is supposed to generate a new challenge for each new connection, thus making each response unique. The strength of this one-way hash makes it impractical to reverse-engineer the original password. MD5 and SHA-1 are the most common hashing algorithms in use in network protocols today, but SHA-1 is theoretically stronger.