HMAC based challenge-response authentication

Question

Would a challenge response HMAC authentication be secure?

i.e.

1. Client sends id
2. Server sends a challenge(32byte value)
3. Client calculates hmac_sha256 of the challenge value with its key and sends the reply
4. Server verifies the reply

Answer 1

That's as secure as a symmetric challenge-response authentication can be. Some remarks:

• In an authentication protocol, the only assurance is that the authenticated party participated in the protocol. It could well be that there's a man-in-the-middle.
• Step 1 (sending client ID) can be coalesced into 3 if all clients have to authenticate that way regardless of ID.
• At step 2, the server's challenge should be unique and unpredictable. Making that reliable is less easy than it seems.
• At step 4, the server must be able to get or regenerate the client's key, from a database of random keys, or a master key and a key derivation function.

The big problems are

• Said database or master key could leak for the server, and poof goes all security. One good mitigation is to use a security token (HSM, Smart Card..) in the server, programmed so that it can only check the response to challenges.
• The ultimate solution from the standpoint of avoiding server leaks is when there is noting secret in there. Challenge/response replacing HMAC with a signature allows just that.
• Authentication is one thing, securing what follows next is better. That's why we have authentication-and-key-agreement protocols. Good ones resist man-in-the-middle.
• The client's key (symmetric or asymmetric) can be compromised on the client side. A password (and proper password-based key derivation) to encipher the key-at-rest in the client might help, but is less convenient than directly using the password as an authentication mean. That's why we have SRP and ISO/IEC 11770-4.